How do I get SonarCloud to detect vulnerabilities?

Pipecasso · May 14, 2024, 1:18pm

Hi all. I am new to Sonar Cloud. I am attempting to get sonarcloud to detect vulnerabilities.

using Git Hub, The intention is to scan with Git Hib actions. The project is Java built on gradle. It’s a private repository. I have initiated a sonar project with default sonar way quality gate and bound it to the repo.

My build.gradle as follows

plugins {
    id 'java'
    id 'io.freefair.lombok' version '6.6.2'
    id 'application'
    id 'org.springframework.boot' version '2.7.18'
    id 'io.spring.dependency-management' version '1.1.3'
    id 'nu.studer.jooq' version '8.2.1'
    id 'com.avast.gradle.docker-compose' version '0.17.1'
    id "org.sonarqube" version "4.4.1.3373"
}

sonar {
  properties {
    property "sonar.projectKey", <my Key>
    property "sonar.organization", "< my Organization>
    property "sonar.host.url", "https://sonarcloud.io"
  }

Running gradle build or gradle sonar does run an analysis. It’s found bugs and code smells. However it has not picked up any vulnerabilities. I know there are vulnerabilities in the repo because the AWS scanner reports them. Many of these vulnerable libraries are pulled in through the docker image (as opposed to being accessed directly in the code).

Here is the docker file.

FROM debian:trixie-slim AS deps

RUN apt-get update && apt-get install -y wget

WORKDIR /work
RUN wget https://dtdg.co/latest-java-tracer -O dd-java-agent.jar

FROM gcr.io/distroless/java17-debian11:nonroot as builder
WORKDIR /service
ARG JAR_FILE=build/libs/<My Jar File>

COPY ${JAR_FILE} <My Jar File Location>
USER root
RUN ["java", "-Djarmode=layertools", "-jar", <My Jar File>, "extract"

FROM gcr.io/distroless/java17-debian11:nonroot

WORKDIR /service
COPY --from=deps /work/dd-java-agent.jar ./dd-java-agent.jar
COPY config ./config

COPY --from=builder service/spring-boot-loader/ ./
COPY --from=builder service/dependencies/ ./
COPY --from=builder service/snapshot-dependencies/ ./
COPY --from=builder service/application/ ./

EXPOSE 8080

ENTRYPOINT ["java", "org.springframework.boot.loader.JarLauncher"]

I know the debian distribution contains numerous vulnerabilities. Is it possible for sonar cloud to scan the dockerfile so detect them? If so how do I configure it?

Pipecasso · May 15, 2024, 8:46am

bump. At a more basic level has anyone been able to use sonar cloud to detect vulnerabilities that are pulled in through a docker image? Please let me know if you have, thank you in advance. My organization would really like to use sonar as our primary tool to detect vulnerabilities.

ganncamp · May 15, 2024, 3:49pm

Hi,

Is this about dependency scanning? SonarCloud does SAST / static analysis, not SCA.

Ann

Topic		Replies	Views
Trivy Scans of SonarQube 9.8.0 Docker Image Show Several Vulnerabilities SonarQube Server / Community Build	3	2338	February 7, 2023
Github Advanced Security and Sonar Cloud SonarQube Cloud	11	128	April 1, 2025
Sonarcloud + bitbucket via gradle plugin SonarQube Cloud java , gradle , sonarqube-cloud	4	1085	December 16, 2021
Trivy Security Scan showing vulnerable libraries SonarQube Server / Community Build sonarqube	6	1789	November 18, 2021
Problem disabling gradle.build detection on Github action for Monorepo SonarQube Cloud scanner , sonarqube-cloud	5	781	January 17, 2024

How do I get SonarCloud to detect vulnerabilities?

Related topics