I don't see bandit issues in sonarqube

Must-share information (formatted with Markdown):

I posted my issue on stackoverflow : https://stackoverflow.com/questions/62343897/where-are-displayed-bandit-issues-in-sonarqube-ui
I’m novice with sonarqube and with topic creation please tell me if missing information

Thank’s in advance

Hello,

This is the correct place to ask questions about SonarQube to maximize your chance to get an answer from the SonarQube community or directly from SonarSourcers.

FYI there is no reason to continue to use Bandit because SonarQube and SonarCloud provide out of the box security rules (Vulnerabilities and Security Hotspots. The possibility to import Bandit rules is left here to ease the transition from Bandit to SonarSource native security rules.

That said, if you really want to import your Bandit issues into SonarQube, you should check first if Bandit generated issues and you have a report full of issues.
Secondly, make sure there is no typo in the parameter added to your Scanner command line:

-Dsonar.python.bandit.reportPaths=

Last, it would be great to post here the logs of your scan, the command line you run and the content of your Bandit report.

Regards

Hello, sorry for my late reply

I’m student, I was very busy. I took screens

bandit_report.json

Here is my command

sonar-scanner -Dsonar.projectKey=pictures_manager -Dsonar.sources=. -Dsonar.host.url=http://localhost:9000 -Dsonar.login=XXXXX -Dsonar.python.bandit.reportPaths=bandit_report.json

Docker-compose.yml

version: "3"

services:
  sonarqube:
    container_name: sonarqube_ui
    image: sonarqube
    expose:
      - 9000
    ports:
      - "127.0.0.1:9000:9000"
    networks:
      - sonarnet
    environment:
      - SONARQUBE_JDBC_URL=jdbc:postgresql://db:5432/sonar
      - SONARQUBE_JDBC_USERNAME=sonar
      - SONARQUBE_JDBC_PASSWORD=sonar
    volumes:
      - sonarqube_conf:/opt/sonarqube/conf
      - sonarqube_data:/opt/sonarqube/datasonar-bandit-security-plugin_sonarqube_extensions
      - sonarqube_extensions:/opt/sonarqube/extensions
      - sonarqube_bundled-plugins:/opt/sonarqube/lib/bundled-plugins

  db:
    container_name: sonarqube_db
    image: postgres
    networks:
      - sonarnet
    environment:
      - POSTGRES_USER=sonar
      - POSTGRES_PASSWORD=sonar
    volumes:
      - postgresql:/var/lib/postgresql
      - postgresql_data:/var/lib/postgresql/data

networks:
  sonarnet:

volumes:
  sonarqube_conf:
  sonarqube_data:
  sonarqube_extensions:
  sonarqube_bundled-plugins:
  postgresql:
  postgresql_data:

sonar-project.properties

sonar.projectKey=pictures_manager
sonar.projectName=pictures_manager

sonar.sourceEncoding=UTF-8
sonar.sources=.

# Python
sonar.python.bandit.reportPaths=bandit_report.json

sonar.exclusions=**/*.pyc,**/*.ini,**/test-*.py
sonar.test.exclusions=**/test_*.py,**/*.pyc

Here is logs of my sonar scanner

I hope it can help you to resolve my problem. Thank’s a lot

I found the problem, when I used sonar-scanner, there were venv folder. So I found a lot of analysis with the venv so I just put venv in .gitignore. Moreover my bandit command line was bad. I need to exclude venv folder like this bandit --verbose --ignore-nosec --recursive --exclude ./venv -o bandit_report.json -f json .

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.