Hi everyone.
We are trying to upload a vulnerability sarif report from trivy from a github action to sonarqube 10.2 but we cannot see the results in the dashboard.
We are using the GitHub - aquasecurity/trivy-action: Runs Trivy as GitHub action to scan your Docker container image for vulnerabilities and the creation is successful and the report is valid.
This is what we can see when we follow the sonarqube/api/ce/task?id=…
{"task":{"id":"AY0g8mmq2xBPXuAlw4C6","type":"REPORT","componentId":"AY0SKm0Z2xBPXuAlw3_g","componentKey":"container","componentName":"container","componentQualifier":"TRK","status":"FAILED","submittedAt":"2024-01-19T08:59:34+0000","submitterLogin":"admin","startedAt":"2024-01-19T08:59:43+0000","executedAt":"2024-01-19T08:59:44+0000","executionTimeMs":1313,"errorMessage":"Fail to process issues of component \u0027container\u0027 (Visit of Component {key\u003dcontainer,type\u003dPROJECT} failed)","errorStacktrace":"org.sonar.ce.task.projectanalysis.component.VisitException: Visit of Component {key\u003dcontainer,type\u003dPROJECT} failed\n\tat org.sonar.ce.task.projectanalysis.component.VisitException.rethrowOrWrap(VisitException.java:44)\n\tat org.sonar.ce.task.projectanalysis.component.VisitorsCrawler.visit(VisitorsCrawler.java:71)\n\tat org.sonar.ce.task.projectanalysis.step.ExecuteVisitorsStep.execute(ExecuteVisitorsStep.java:51)\n\tat org.sonar.ce.task.step.ComputationStepExecutor.executeStep(ComputationStepExecutor.java:79)\n\tat org.sonar.ce.task.step.ComputationStepExecutor.executeSteps(ComputationStepExecutor.java:70)\n\tat org.sonar.ce.task.step.ComputationStepExecutor.execute(ComputationStepExecutor.java:57)\n\tat org.sonar.ce.task.projectanalysis.taskprocessor.ReportTaskProcessor.process(ReportTaskProcessor.java:75)\n\tat org.sonar.ce.taskprocessor.CeWorkerImpl$ExecuteTask.executeTask(CeWorkerImpl.java:212)\n\tat org.sonar.ce.taskprocessor.CeWorkerImpl$ExecuteTask.run(CeWorkerImpl.java:194)\n\tat org.sonar.ce.taskprocessor.CeWorkerImpl.findAndProcessTask(CeWorkerImpl.java:160)\n\tat org.sonar.ce.taskprocessor.CeWorkerImpl$TrackRunningState.get(CeWorkerImpl.java:135)\n\tat org.sonar.ce.taskprocessor.CeWorkerImpl.call(CeWorkerImpl.java:87)\n\tat org.sonar.ce.taskprocessor.CeWorkerImpl.call(CeWorkerImpl.java:53)\n\tat com.google.common.util.concurrent.TrustedListenableFutureTask$TrustedFutureInterruptibleTask.runInterruptibly(TrustedListenableFutureTask.java:131)\n\tat com.google.common.util.concurrent.InterruptibleTask.run(InterruptibleTask.java:75)\n\tat com.google.common.util.concurrent.TrustedListenableFutureTask.run(TrustedListenableFutureTask.java:82)\n\tat java.base/java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)\n\tat java.base/java.util.concurrent.FutureTask.run(Unknown Source)\n\tat java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknown Source)\n\tat java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)\n\tat java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)\n\tat java.base/java.lang.Thread.run(Unknown Source)\nCaused by: java.lang.IllegalStateException: Fail to process issues of component \u0027container\u0027\n\tat org.sonar.ce.task.projectanalysis.issue.IntegrateIssuesVisitor.visitAny(IntegrateIssuesVisitor.java:104)\n\tat org.sonar.ce.task.projectanalysis.component.TypeAwareVisitorWrapper.visitAny(TypeAwareVisitorWrapper.java:77)\n\tat org.sonar.ce.task.projectanalysis.component.VisitorsCrawler.visitNode(VisitorsCrawler.java:114)\n\tat org.sonar.ce.task.projectanalysis.component.VisitorsCrawler.visitImpl(VisitorsCrawler.java:97)\n\tat org.sonar.ce.task.projectanalysis.component.VisitorsCrawler.visit(VisitorsCrawler.java:69)\n\t... 20 more\nCaused by: java.lang.NullPointerException: Cannot invoke \"java.util.Collection.stream()\" because \"this.bases\" is null\n\tat org.sonar.core.issue.tracking.Tracking.getUnmatchedBases(Tracking.java:73)\n\tat org.sonar.core.issue.tracking.AbstractTracker.match(AbstractTracker.java:41)\n\tat org.sonar.core.issue.tracking.AnticipatedTransitionTracker.track(AnticipatedTransitionTracker.java:34)\n\tat org.sonar.ce.task.projectanalysis.issue.TransitionIssuesToAnticipatedStatesVisitor.onIssue(TransitionIssuesToAnticipatedStatesVisitor.java:72)\n\tat org.sonar.ce.task.projectanalysis.issue.IssueVisitors.onIssue(IssueVisitors.java:41)\n\tat org.sonar.ce.task.projectanalysis.issue.IntegrateIssuesVisitor.processIssue(IntegrateIssuesVisitor.java:158)\n\tat org.sonar.ce.task.projectanalysis.issue.IntegrateIssuesVisitor.lambda$processIssues$0(IntegrateIssuesVisitor.java:109)\n\tat java.base/java.lang.Iterable.forEach(Unknown Source)\n\tat org.sonar.ce.task.projectanalysis.issue.IntegrateIssuesVisitor.processIssues(IntegrateIssuesVisitor.java:109)\n\tat org.sonar.ce.task.projectanalysis.issue.IntegrateIssuesVisitor.visitAny(IntegrateIssuesVisitor.java:98)\n\t... 24 more\n","scannerContext":"Plugins:\nBundled analyzers:\n - Clean as You Code 2.1.0.500 (cayc)\n - IaC Code Quality and Security 1.20.0.5654 (iac)\n - PL/SQL Code Quality and Security 3.10.0.5282 (plsql)\n - Scala Code Quality and Security 1.14.0.4481 (sonarscala)\n - C# Code Quality and Security 9.8.0.76515 (csharp)\n - Vulnerability Analysis 10.2.0.22608 (security)\n - Java Code Quality and Security 7.24.0.32100 (java)\n - HTML Code Quality and Security 3.9.0.3600 (web)\n - Flex Code Quality and Security 2.10.0.3458 (flex)\n - XML Code Quality and Security 2.10.0.4108 (xml)\n - Text Code Quality and Security 2.3.0.1632 (text)\n - VB.NET Code Quality and Security 9.8.0.76515 (vbnet)\n - Swift Code Quality and Security 4.10.0.5999 (swift)\n - CFamily Code Quality and Security 6.48.1.62610 (cpp)\n - Python Code Quality and Security 4.7.0.12181 (python)\n - Dataflow Bug Detection Rules for Python 1.17.0.4892 (dbdpythonfrontend)\n - Dataflow Bug Detection 1.17.0.4892 (dbd)\n - Go Code Quality and Security 1.14.0.4481 (go)\n - JaCoCo 1.3.0.1538 (jacoco)\n - Kotlin Code Quality and Security 2.17.0.2902 (kotlin)\n - RPG Code Quality 3.6.0.3520 (rpg)\n - Dataflow Bug Detection Rules for Java 1.17.0.4892 (dbdjavafrontend)\n - PL/I Code Quality and Security 1.14.0.3735 (pli)\n - T-SQL Code Quality and Security 1.10.0.5799 (tsql)\n - VB6 Code Quality and Security 2.11.0.3706 (vb)\n - Apex Code Quality and Security 1.14.0.4481 (sonarapex)\n - JavaScript/TypeScript/CSS Code Quality and Security 10.5.1.22382 (javascript)\n - Ruby Code Quality and Security 1.14.0.4481 (ruby)\n - Vulnerability Rules for C# 10.2.0.22608 (securitycsharpfrontend)\n - Vulnerability Rules for Java 10.2.0.22608 (securityjavafrontend)\n - Vulnerability Rules for JS 10.2.0.22608 (securityjsfrontend)\n - COBOL Code Quality 5.5.0.6450 (cobol)\n - Vulnerability Rules for Python 10.2.0.22608 (securitypythonfrontend)\n - PHP Code Quality and Security 3.32.0.10180 (php)\n - ABAP Code Quality and Security 3.13.0.4389 (abap)\n - Configuration detection for Code Quality and Security 1.3.0.654 (config)\n - Vulnerability Rules for PHP 10.2.0.22608 (securityphpfrontend)\nGlobal server settings:\n - sonar.auth.github.allowUsersToSignUp\u003dtrue\n - sonar.auth.github.enabled\u003dtrue\n - sonar.auth.github.groupsSync\u003dtrue\n - sonar.auth.github.organizations\u003dsmc-org\n - sonar.auth.github.webUrl\u003dhttps://github.com/\n - sonar.core.id\***********\n - sonar.core.serverBaseURL\u003dhttps://***.****.**/sonarqube\n - sonar.core.startTime\u003d2023-12-12T08:33:46+0000\n - sonar.dbcleaner.branchesToKeepWhenInactive\u003dmaster\n - sonar.dbcleaner.daysBeforeDeletingInactiveBranchesAndPRs\u003d7\n - sonar.forceAuthentication\u003dtrue\n - sonar.plugins.risk.consent\u003dACCEPTED\n - sonar.projectCreation.mainBranchName\u003dmaster\nProject server settings:\nProject scanner properties:\n - sonar.branch.name\u003d*****\n - sonar.host.url\u003dhttps://***.****.**/sonarqube/\n - sonar.projectBaseDir\u003d/usr/src\n - sonar.projectKey\u003dcontainer\n - sonar.sarifReportPaths\u003d/usr/src/result.sarif\n - sonar.scanner.app\u003dScannerCLI\n - sonar.scanner.appVersion\u003d5.0.1.3006\n - sonar.sourceEncoding\u003dUTF-8\n - sonar.working.directory\u003d/usr/src/.scannerwork","hasScannerContext":true,"branch":"***","branchType":"BRANCH","warningCount":1,"warnings":["SCM provider autodetection failed. Please use \"sonar.scm.provider\" to define SCM of your project, or disable the SCM Sensor in the project settings."]}}