I use OWASP dependency check 4.0.1 (gitlab-ci task using docker image registry.gitlab.com/gitlab-ci-utils/docker-dependency-check:latest) and import the reports into SonarQube using the dependency-check-sonar-plugin.
Everything works fine except for two steps :
Dependency-check returns absolute paths so file matching is all mixed up, issues are attached to other “lookalikes” files (this seems to be a plugin issue)
Dependency-check reports issues on files that are not “indexed in any language”, so these issues doesn’t show up in sonarqube reports. Is there a way to create a dummy language that could handle theses files (in my case mainly lock files: php composer.lock, js yarn.lock) ? Shall it be managed by the plugin?
That’s one way to go about it, and yes it would need to be managed by the plugin. It’s also possible that it may work to add **/*.lock &etc to the Administration → Languages → Secrets → List of file path patterns to include.
