Checkov report ingestion doesn't work

fcloud · February 21, 2023, 9:43am

Hello,

I’m trying to ingest Chekov reports in my Sonarqube Enterprise 9.9, but whatever I try never seems to work.

I run a GitlabCI job that generates the report, using this command :

# in checkov.sh
checkov \
        --framework terraform  \
        --directory iac \
        -o cli -o json \
        --output-file-path console,"reports/checkov.json"

I then export the report as an artifact of the job in the .gitlab-ci.yml file :

test:checkov:
  stage: checkov
  image:
    name: gcr.io/gbl-ist-ve-gitlabrunner/checkov:latest
    entrypoint: [""]
  script:
    - ./checkov.sh
  artifacts:
    paths:
      - reports/checkov.json
    when: always
  allow_failure: true

I have another job that then performs Sonar scan :

sonar:
  stage: test:technical:post
  image: gcr.io/gbl-ist-ve-gitlabrunner/sonar:latest
  script:
    - ./sonar.sh

And sonar.sh just performs a sonar-scanner, using a sonar-project.properties that contains :

sonar.checkov.reportFiles=reports/checkov.json

In the sonar-scanner logs I see this :

INFO: Sensor Cloudformation Check [cloudformation]
INFO: Process iac reports
WARN: Missing property:sonar.cfn.nag.reportFiles
INFO: sonar.checkov.reportFiles=reports/checkov.json
INFO: Processing  checkov :reports/checkov.json
WARN: Processing checkov:reports/checkov.json missing
INFO: Process iac reports (done) | time=6ms
INFO: Sensor Cloudformation Check [cloudformation] (done) | time=6ms

But I’ve checked many times and the checkov.json file does exist ! Is Sonar not able to read it for some reason ? Or am I missing something ?

Thanks for the help.

Nils_Werner · February 21, 2023, 12:38pm

Hi @fcloud,

Welcome to the community. SonarQube itself does not support Checkov reports out of the box. It looks like you are using a third party plugin (sonar-cloudformation-plugin). I would recommend contacting the plugin maintainer, but it looks like the plugin is already EOL.

However, SonarQube does allow you to import generic reports or reports in SARIF format. Checkov can export results in SARIF format. So please refer to this documentation to import problems from checkov.

Best,
Nils

fcloud · February 22, 2023, 4:23pm

Hi Nils,

Thanks for the feedback. I followed your advice and switched to using the sarifReportPaths parameter.

The Sonar scan logs looked encouraging :

INFO: Sensor Import external issues report from SARIF file.
INFO: File services/app-iac/reports/checkov.sarif: successfully imported 13 vulnerabilities spread in 1 runs. 0 failed run(s).
INFO: Sensor Import external issues report from SARIF file. (done) | time=30ms

But nothing ever appeared in my SonarQube dashboard, either under Vulnerabilites or anywhere else.

At least, while I was working on a feature branch. When I merged to my main branch, all the issues suddenly appeared in Vulnerabilities in the main branch dashboard of my project.

Is there some kind of limitation, or am I missing some extra configuration ? I didn’t see anything related in the link you sent.

ganncamp · February 22, 2023, 5:42pm

Hi,

Was this actually a branch analysis, or a PR analysis? When the issues showed up, did they show up in New Code or in Overall Code?

Ann

fcloud · February 22, 2023, 9:40pm

Hi Ann,

It was actually a PR analysis, yes. And when merged on the main branch it showed up on the Overall code view.

Fabien

ganncamp · February 23, 2023, 1:23pm

Hi Fabien,

PR analysis only shows issues in New Code, so what you experienced is expected behavior.

Ann

fcloud · February 23, 2023, 1:29pm

Hi Ann,

Ok thanks for the feedback.

Fabien