Dependency-check results ignored in PR scans

We are using sonarqube 8.1 with gitlab 14.0.12-ee, maven, and the dependency-check maven plugin for vulnerability scanning.

When we run a sonar scan for a branch and pass the dependency check reports, sonar correctly identifies the vulnerabilities from the dependency-check report. It properly fails our build and shows us the correct vulnerability in the sonarqube interface. However, when we run a sonar scan for a Merge Request, the dependency-check report is not considered. We would like to include results from dependency-check in our Quality Gates for merge requests, but are unsure how to accomplish this.


Welcome to the community!

Your version is past EOL. You should upgrade to either the latest version or the current LTS at your earliest convenience. Your upgrade path is:

8.1 → 8.9.7 → 9.3 (last step optional)

You may find the Upgrade Guide helpful. If you have questions about upgrading, feel free to open a new thread for that here.

Regarding your problem, keep in mind that Merge Request analysis is only going to report issues on code that is new in the MR. It’s likely that the Dependency Check results are being filtered out because they’re either raised at file level or raised on “old” code.