We are using sonarqube 8.1 with gitlab 14.0.12-ee, maven, and the dependency-check maven plugin for vulnerability scanning.
When we run a sonar scan for a branch and pass the dependency check reports, sonar correctly identifies the vulnerabilities from the dependency-check report. It properly fails our build and shows us the correct vulnerability in the sonarqube interface. However, when we run a sonar scan for a Merge Request, the dependency-check report is not considered. We would like to include results from dependency-check in our Quality Gates for merge requests, but are unsure how to accomplish this.