SonarQube: Community Edition Version 7.7 (build 23042)
Scanner: SonarQube Scanner 188.8.131.527
Jenkins plugins: SonarQube Scanner 2.8.1 & Sonar Quality Gates 1.3.1
I would like to use the scanner cli to “inject” an additional list of vulnerabilities into the previous scan / analysis. This list of CVEs is being generated by a software composition analysis tool at a later stage in the pipeline.
I am basically looking for some flexibility in the project activity reporting. Right now a new analysis is being generated, which only takes into consideration this external list of issues.
What I have right now:
- initial scan of source code - functioning as expected
- second scan attempt with -Dsonar.externalIssuesReportPaths=data.json -Dsonar.issuesReport.json.enable=true which generates a new analysis that drops issues detected in the initial scan
I am wondering if there are any out of the box ideas that might help me.
Thank you for your time,