- SonarQube 9.7.1
- GitHub - dependency-check/dependency-check-sonar-plugin: Integrates Dependency-Check reports into SonarQube (3.1.0)
Hello, our company scans every repository for dependency vulnerabilities, static analysis and dynamic scanning every day. I’m running into problems with SonarQube’s “issue date”. I can have a repository with zero “issues” yesterday. A new CVE will come out today, our scanner will find it and the issue is marked with an “issue created date” that might be 200 days old. This isn’t an issue that was open/closed/reopened/…". Brand new issue.
- I have all SCM turned off, as I don’t care who did what when. I care the CVE is 1 day old and I expect our teams to resolve “blockers in x days”, “critical in x days”. So, when a team has a clean repo and then a new issue is created, getting a 200 day old count doesn’t make them happy.
- I have tried messing w/ “new code” a few different ways. Right now I have it set so that each scan is “new code”. The behavior of the “issue creation date” is the same no matter what I do.
- Currently we use API calls against SonarQube open issue creationDate to count issue age.
I realize that I’m using a plugin to load dependency vulnerability information and so your response might be, “not our problem”. If that’s the case, is it impossible to ask that the API return audit flags like “actually_created_date”. I need that date badly to ensure teams are in compliance.
Thanks.