Must-share information (formatted with Markdown):

• which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
  9.2.4
• what are you trying to achieve
  reporting yarn audit results as external issues within sonarqube for each pull request
• what have you tried so far to achieve this
  I yarn audit json into external issues json format and then
  feed it to sonar.externalIssuesReportPaths

For pull requests sonar never reports the reported vulnerabilites.
Sonar shows new vulnerabilities solely on master branch and overall previously reported vulnerabilities in overall code tab on master branch.

Why cannot I see new vulns and general vulns in pull requests? Is there a way to enable that?

Also sonar doesn’t fail if there are no new vulnerabilities but there are existing vulnerabilities overall that were previously reported. Is there a way to make it always fail if there are any external issues at all?

Hey there.

Today, Pull Requests only record issues on changed lines – all other issues are filtered out. This applies to external issues as well. This means that issues raised on lines not identified as changed, or raised at the file-level, won’t be shown. We’re considering improving this and you’re welcome to add your voice on our Roadmap.

You would need to set a Quality Gate condition on Overall Code. It’s not possible to differentiate between external and non-external issues, but you can differentiate by issue type (Vulnerability, etc.)

Thanks for the response I added my use case via the portal you linked.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.