How to add scan results (OWASP ZAP) to existing task id in SonarQube

Hi there,

I’m using the sonarqube-maven-plugin in combination with OWASP tools in my Jenkins CI.
After build and unit / integration tests have completed, I run OWASP dependency-check (Maven plugin).
Then the SonarQube scan is executed, and the SonarQube quality gate validates the analysis result.

Later, the application get’s deployed, and some more tests are run.
One of them is the OWASP ZAP API scanner (Docker).
This scanner also creates a result file, which can be uploaded to SonarQube.

Is it possible to upload additional scan results to an existing scan (task id)?

Greetings, Michael

Hello @STP,

What you ask is not possible. Everything that you can attach to a SonarQube scan has to happen as part of a (more or less) synchronous pipeline. The reason is that SonarQube would not be able to guarantee that the data that you would add to a taskId corresponds to the code that was analysed earlier with this taskId. You should deploy the application and run the OWASP ZAP API scan as part of the same synchronous pipeline if you want to add this to the taskId.