We implement Dependency Check Plugin , which fetches results from Dependency Check and Publishes on SonarQube .
I have a question on how SonarQube Plugin deals with third party libraries that are marked as False Positives. We have vast number of projects and every project uses third party libraries .
For example: I mark
io.micrometer.micrometer-registry-prometheus-1.5.2.jar
as a false positive , because the CVE-2019-3826 is not applicable to my project.
My Questions -
Next time project is scanned will this be reopened ?
If a new CPE is identified in this jar , will this be reopened ?
I also ran into the very same issue of trying to configure the false positives.
The documentation is refering to an XML config file where the content can be created from sonarqube.
However, its totally unclear how this suppress-xml is used in the dependency scan.
Do I have to copy this file manually into my CICD system and provide it to the scanner as a parameter.
I could see from the documentation that this is a possible approach.
Being able to read about the process in total somewhere would be very beneficial.
Considerung the high level integration elsewhere I am surprised this is not further automated.