External issues upload into previous scan

claudius · April 24, 2019, 4:52pm

SonarQube: Community Edition Version 7.7 (build 23042)
Scanner: SonarQube Scanner 3.2.0.1227
Jenkins plugins: SonarQube Scanner 2.8.1 & Sonar Quality Gates 1.3.1

Hello,

I would like to use the scanner cli to “inject” an additional list of vulnerabilities into the previous scan / analysis. This list of CVEs is being generated by a software composition analysis tool at a later stage in the pipeline.
I am basically looking for some flexibility in the project activity reporting. Right now a new analysis is being generated, which only takes into consideration this external list of issues.

What I have right now:

initial scan of source code - functioning as expected
second scan attempt with -Dsonar.externalIssuesReportPaths=data.json -Dsonar.issuesReport.json.enable=true which generates a new analysis that drops issues detected in the initial scan

I am wondering if there are any out of the box ideas that might help me.

Thank you for your time,
Claudiu

ganncamp · April 25, 2019, 6:47pm

Hi Claudiu,

Sorry, but that’s just not the way it works. From your description, it sounds like you’ll just have to move SonarQube analysis to later in the process. Either that, or use a different project key for each analysis. (Yes, that will double your LOC for billing purposes.)

Ann

claudius · April 25, 2019, 9:09pm

Hi Ann,

Thank you for your analysis!

I’m already exploring the secondary key option. Reconciling the timing of scans in a later iteration should be straightforward.

Claudiu