Hello,
I’m running:
SQ: v10.8.1 Developer
sonar-scanner
: installed globally via npm install -g sonarqube-scanner
version 4.2.5
trivy: v0.58.2
trivy-plugin-sonarqube: v0.3.2
I’m generating a trivy
vulnerability report which I covert using trivy-plugin-sonarqube` to Generic formatted issue reports format.
In the generic report I’m marking all to the Dockerfile
. Whenever there is a PR build of the CI I would like to scan the new code
which has been working so far perfectly.
However now that I would like to get the external vul report during the PR they are not recognized. My command like execution is the following:
sonar-scanner -Dsonar.host.url=<SQ url> \
-Dsonar.token=<SQ token> \
-Dsonar.scm.provider=git \
-Dsonar.projectName=<project-name> \
-Dsonar.projectKey=<project-key> \
-Dsonar.projectVersion=<project-version> \
-Dsonar.externalIssuesReportPaths=vuln-report.json \
-Dsonar.newCode.referenceBranch=<target-branch> \
-Dsonar.pullrequest.key=<pr-id> \
-Dsonar.pullrequest.branch=<branch-name> \
-Dsonar.pullrequest.base=<target-branch> \
-Dsonar.qualitygate.wait=true \
-Dsonar.qualitygate.timeout=300 \
-Dsonar.javascript.lcov.reportPaths=coverage/lcov.info
log:
[WARN] Bootstrapper: SONARQUBE_SCANNER_PARAMS is deprecated, please use SONAR_SCANNER_JSON_PARAMS instead
[INFO] Bootstrapper: Retrieving info from "package.json" file
[INFO] Bootstrapper: Platform: linux x64
[INFO] Bootstrapper: Server URL: http://
[INFO] Bootstrapper: Version: 4.2.5
[INFO] Bootstrapper: SonarQube server version: 10.8.1
[INFO] Bootstrapper: JRE provisioning is supported
[INFO] Bootstrapper: No Cache found for JRE
[INFO] Bootstrapper: Download starting...
[INFO] Bootstrapper: Download complete
[INFO] Bootstrapper: Downloaded JRE to /.sonar/cache/bcb1b7b8ad68c93093f09b591b7cb17161d39891f7d29d33a586f5a328603707/OpenJDK17U-jre_x64_linux_hotspot_17.0.11_9.tar.gz
[INFO] Bootstrapper: No Cache found for SonarScanner Engine
[INFO] Bootstrapper: Download starting...
[INFO] Bootstrapper: Download complete
[INFO] Bootstrapper: Downloaded SonarScanner Engine to /.sonar/cache/f74ac510f3f831dcb27f270d35ddf9245a18b6dc7b22f5f10035726d13b9a63b/scanner-developer-10.8.1.101195-all.jar
[INFO] ScannerEngine: Starting SonarScanner Engine...
[INFO] ScannerEngine: Java 17.0.11 Eclipse Adoptium (64-bit)
...
...
...
# correctly importing external report
[INFO] ScannerEngine: Sensor Import external issues report
[INFO] ScannerEngine: Imported 138 issues in 1 file
[INFO] ScannerEngine: Sensor Import external issues report (done) | time=72ms
...
...
[INFO] ScannerEngine: Sensor IaC Docker Sensor [iac]
[INFO] ScannerEngine: 1 source file to be analyzed
[INFO] ScannerEngine: 1/1 source file has been analyzed
[INFO] ScannerEngine: Sensor IaC Docker Sensor [iac] (done) | time=318ms
...
...
[INFO] ScannerEngine: Analysis report generated in 121ms, dir size=1.7 MB
[INFO] ScannerEngine: Analysis report compressed in 384ms, zip size=957.4 kB
[INFO] ScannerEngine: Analysis report uploaded in 222ms
[INFO] ScannerEngine: ANALYSIS SUCCESSFUL, you can find the results at: http://
[INFO] ScannerEngine: Note that you will be able to access the updated dashboard once the server has processed the submitted analysis report
[INFO] ScannerEngine: More about the report processing at http://
[grid]



[/grid]
[INFO] ScannerEngine: Time spent writing ucfgs 331ms
[INFO] ScannerEngine: Analysis total time: 1:10.031 s
[INFO] ScannerEngine: SonarScanner Engine completed successfully
I have added 2 new lines to the Dockerfile
so it has new code
and the issues are supposedly imported, however it does not work as expected:
HOWEVER after testing with normal branch scan mode (no pull request scan) it kind of works:
sonar-scanner -Dsonar.host.url=<SQ url> \
-Dsonar.token=<SQ token> \
-Dsonar.scm.provider=git \
-Dsonar.projectName=<project-name> \
-Dsonar.projectKey=<project-key> \
-Dsonar.projectVersion=<project-version> \
-Dsonar.externalIssuesReportPaths=vuln-report.json \
-Dsonar.newCode.referenceBranch=<target-branch> \
-Dsonar.javascript.lcov.reportPaths=coverage/lcov.info
Still it says 0 new issues:
no ‘issues on new code’ filter:
it correctly discovers my 2 new lines in Dockerfile
but when I go to “Code” tab
Dockerfile
properly show all Security
issues imported:Is this working as intended? What are the limitations of the external reports being imported?
Regards