External reports not showing issues for Pull Request analysis but working for branch analysis

Hello,

I’m running:
SQ: v10.8.1 Developer
sonar-scanner: installed globally via npm install -g sonarqube-scanner version 4.2.5
trivy: v0.58.2
trivy-plugin-sonarqube: v0.3.2

I’m generating a trivy vulnerability report which I covert using trivy-plugin-sonarqube` to Generic formatted issue reports format.

In the generic report I’m marking all to the Dockerfile. Whenever there is a PR build of the CI I would like to scan the new code which has been working so far perfectly.
However now that I would like to get the external vul report during the PR they are not recognized. My command like execution is the following:

sonar-scanner -Dsonar.host.url=<SQ url> \
              -Dsonar.token=<SQ token> \
              -Dsonar.scm.provider=git \
              -Dsonar.projectName=<project-name> \
              -Dsonar.projectKey=<project-key> \
              -Dsonar.projectVersion=<project-version> \
              -Dsonar.externalIssuesReportPaths=vuln-report.json \
              -Dsonar.newCode.referenceBranch=<target-branch> \
              -Dsonar.pullrequest.key=<pr-id> \
              -Dsonar.pullrequest.branch=<branch-name> \
              -Dsonar.pullrequest.base=<target-branch> \
              -Dsonar.qualitygate.wait=true \
              -Dsonar.qualitygate.timeout=300 \
              -Dsonar.javascript.lcov.reportPaths=coverage/lcov.info

log:

[WARN]  Bootstrapper: SONARQUBE_SCANNER_PARAMS is deprecated, please use SONAR_SCANNER_JSON_PARAMS instead
[INFO]  Bootstrapper: Retrieving info from "package.json" file
[INFO]  Bootstrapper: Platform: linux x64
[INFO]  Bootstrapper: Server URL: http://
[INFO]  Bootstrapper: Version: 4.2.5
[INFO]  Bootstrapper: SonarQube server version: 10.8.1
[INFO]  Bootstrapper: JRE provisioning is supported
[INFO]  Bootstrapper: No Cache found for JRE
[INFO]  Bootstrapper: Download starting...
[INFO]  Bootstrapper: Download complete
[INFO]  Bootstrapper: Downloaded JRE to /.sonar/cache/bcb1b7b8ad68c93093f09b591b7cb17161d39891f7d29d33a586f5a328603707/OpenJDK17U-jre_x64_linux_hotspot_17.0.11_9.tar.gz
[INFO]  Bootstrapper: No Cache found for SonarScanner Engine
[INFO]  Bootstrapper: Download starting...
[INFO]  Bootstrapper: Download complete
[INFO]  Bootstrapper: Downloaded SonarScanner Engine to /.sonar/cache/f74ac510f3f831dcb27f270d35ddf9245a18b6dc7b22f5f10035726d13b9a63b/scanner-developer-10.8.1.101195-all.jar
[INFO]  ScannerEngine: Starting SonarScanner Engine...
[INFO]  ScannerEngine: Java 17.0.11 Eclipse Adoptium (64-bit)
...
...
...
# correctly importing external report
[INFO]  ScannerEngine: Sensor Import external issues report
[INFO]  ScannerEngine: Imported 138 issues in 1 file
[INFO]  ScannerEngine: Sensor Import external issues report (done) | time=72ms
...
...
[INFO]  ScannerEngine: Sensor IaC Docker Sensor [iac]
[INFO]  ScannerEngine: 1 source file to be analyzed
[INFO]  ScannerEngine: 1/1 source file has been analyzed
[INFO]  ScannerEngine: Sensor IaC Docker Sensor [iac] (done) | time=318ms
...
...
[INFO]  ScannerEngine: Analysis report generated in 121ms, dir size=1.7 MB
[INFO]  ScannerEngine: Analysis report compressed in 384ms, zip size=957.4 kB
[INFO]  ScannerEngine: Analysis report uploaded in 222ms
[INFO]  ScannerEngine: ANALYSIS SUCCESSFUL, you can find the results at: http://
[INFO]  ScannerEngine: Note that you will be able to access the updated dashboard once the server has processed the submitted analysis report
[INFO]  ScannerEngine: More about the report processing at http://
[grid]
![PR1|690x379](upload://n50kJA5uxcaGwD5HyTI45XyQ985.jpeg)
![PR2|690x296](upload://rnxqGG1QMpWrYpQA2IDDluWSrR2.jpeg)
![PR3|690x237](upload://qLwKZGtToZ7N5IV5bAb0F6xXcnL.jpeg)
[/grid]

[INFO]  ScannerEngine: Time spent writing ucfgs 331ms
[INFO]  ScannerEngine: Analysis total time: 1:10.031 s
[INFO]  ScannerEngine: SonarScanner Engine completed successfully

I have added 2 new lines to the Dockerfile so it has new code and the issues are supposedly imported, however it does not work as expected:



HOWEVER after testing with normal branch scan mode (no pull request scan) it kind of works:

sonar-scanner -Dsonar.host.url=<SQ url> \
              -Dsonar.token=<SQ token> \
              -Dsonar.scm.provider=git \
              -Dsonar.projectName=<project-name> \
              -Dsonar.projectKey=<project-key> \
              -Dsonar.projectVersion=<project-version> \
              -Dsonar.externalIssuesReportPaths=vuln-report.json \
              -Dsonar.newCode.referenceBranch=<target-branch> \
              -Dsonar.javascript.lcov.reportPaths=coverage/lcov.info

Still it says 0 new issues:


no ‘issues on new code’ filter:

it correctly discovers my 2 new lines in Dockerfile

but when I go to “Code” tab Dockerfile properly show all Security issues imported:

Is this working as intended? What are the limitations of the external reports being imported?

Regards

Hi,

PR analysis only reports issues on new code.

You’re reporting all your Trivy issues on the Dockerfile, and the Dockerfile has two (correctly detected) new lines. But if the Trivy issues aren’t raised on those 2 new lines, then they’re not going to show up - either in PR analysis or in the “new” part of a branch analysis.

For that matter, even if the line the issue is raised on is updated, if the issue itself was previously raised, then it’s not “new”.

So let’s go back to what you’re trying to accomplish:

Are you expecting a whole new set of vulnerabilities with each new PR? If so, you’ll have to find something that actually changed in the PR to be able to see them in the PR analysis.

 
Ann

hi @ganncamp ,
thanks for the info, it makes a lot of sense.
I did not consider that I associate all issues to the Dockerfile but don’t have any line numbers inside it so even if the 2 new lines are part of the same file they are not specific to those 2.
That would explain the behavior, much appreciated the fast response.

Regards.

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.