Dependency Check Plugin for SonarQube False Positive analysis

Hi Everyone ,

We implement Dependency Check Plugin , which fetches results from Dependency Check and Publishes on SonarQube .
I have a question on how SonarQube Plugin deals with third party libraries that are marked as False Positives. We have vast number of projects and every project uses third party libraries .
For example: I mark

io.micrometer.micrometer-registry-prometheus-1.5.2.jar
as a false positive , because the CVE-2019-3826 is not applicable to my project.

My Questions -

  1. Next time project is scanned will this be reopened ?
  2. If a new CPE is identified in this jar , will this be reopened ?

Any assistance would be helpful. Thank you !

Hi,

If the docs on understanding which issues are “New” isn’t helpful, then you might want to move this thread to the Rule Writing sub-category.

 
Ann