Must-share information (formatted with Markdown):
- which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
- what are you trying to achieve
reporting yarn audit results as external issues within sonarqube for each pull request
- what have you tried so far to achieve this
I yarn audit json into external issues json format and then
feed it to sonar.externalIssuesReportPaths
For pull requests sonar never reports the reported vulnerabilites.
Sonar shows new vulnerabilities solely on master branch and overall previously reported vulnerabilities in overall code tab on master branch.
Why cannot I see new vulns and general vulns in pull requests? Is there a way to enable that?
Also sonar doesn’t fail if there are no new vulnerabilities but there are existing vulnerabilities overall that were previously reported. Is there a way to make it always fail if there are any external issues at all?