Environment:
Pipeline using Azure DevOps
SonarQube Enterprise Edition Version 8.9.9 (build 56886)
Gradle 8.1
SonarQube Gralde Plugin 3.5.0.2730
Problem
We have an Azure Pipeline that builds using Gradle and the OWASP Dependency Report is published to SonarQube (visible under More → HTML Dependency-Check) but require the issues to be listed under Security Hotspots. Under “Security Hotspots” states “There are no Security Hotspots to review.”
azure-pipelines.yml
- task: SonarQubePrepare@5
inputs:
SonarQube: ‘SonarQube OUR-URL’
scannerMode: ‘CLI’
configMode: ‘file’
extraProperties: |
sonar.dependencyCheck.reportPath=dependency-check-report.html
sonar.dependencyCheck.htmlReportPath=$(Agent.TempDirectory)/dependency-scan-results/CA/dependency-check-report.html
sonar.dependencyCheck.securityHotspot=true