Dependency-Check report does not exist

I am using Mocha with SonarQube to test my Node.JS application. It runs on Jenkins.
This is my dependency in package.json:

"mocha-sonarqube-reporter": "^1.0.1",
"sonarqube-scanner": "^2.6.0"

This is my script:

const scanner = require("sonarqube-scanner");
    serverUrl: "http://sonarqube.dp-common-quality.svc.cluster.local:9000",
	token: "60c98634b2c56a9948d0bfbb4e2d1286779368a4",
    options: {
      "sonar.projectVersion": "1.0.0",
	  "sonar.sourceEncoding": "UTF-8",
	  "sonar.log.level": "TRACE",
	  "sonar.verbose": "true",
	  "sonar.scm.disabled": "true",
	  "sonar.sources": "BusinessLogic, routes, bin, app.js",
	  "sonar.tests": "tests",
	  "sonar.test.inclusions": "tests/apitests.js",
	  "sonar.javascript.jstest.reportsPath": "test_reports",
      "sonar.javascript.lcov.reportPath": "coverage/",
      "sonar.testExecutionReportPaths": "test_reports/sonarqube/test_results.xml"
  () => process.exit()

It crashes with the following stacktrace:

06:58:49.235 WARN: Dependency-Check report does not exist. SKIPPING. Please check property sonar.dependencyCheck.reportPath: ${WORKSPACE}/dependency-check-report.xml
06:58:49.238 DEBUG: Analysis aborted due to missing report file Dependency-Check report does not exist.
	at org.sonar.dependencycheck.parser.XmlReportFile.getInputStream(
	at org.sonar.dependencycheck.DependencyCheckSensor.parseAnalysis(
	at org.sonar.dependencycheck.DependencyCheckSensor.execute(
	at org.sonar.scanner.sensor.AbstractSensorWrapper.analyse(
	at org.sonar.scanner.sensor.ModuleSensorsExecutor.execute(
	at org.sonar.scanner.sensor.ModuleSensorsExecutor.lambda$execute$1(
	at org.sonar.scanner.sensor.ModuleSensorsExecutor.withModuleStrategy(
	at org.sonar.scanner.sensor.ModuleSensorsExecutor.execute(
	at org.sonar.scanner.scan.ModuleScanContainer.doAfterStart(
	at org.sonar.core.platform.ComponentContainer.startComponents(
	at org.sonar.core.platform.ComponentContainer.execute(
	at org.sonar.scanner.scan.ProjectScanContainer.scan(
	at org.sonar.scanner.scan.ProjectScanContainer.scanRecursively(
	at org.sonar.scanner.scan.ProjectScanContainer.doAfterStart(
	at org.sonar.core.platform.ComponentContainer.startComponents(
	at org.sonar.core.platform.ComponentContainer.execute(
	at org.sonar.scanner.bootstrap.GlobalContainer.doAfterStart(
	at org.sonar.core.platform.ComponentContainer.startComponents(
	at org.sonar.core.platform.ComponentContainer.execute(
	at org.sonar.batch.bootstrapper.Batch.doExecute(
	at org.sonar.batch.bootstrapper.Batch.execute(
	at org.sonarsource.scanner.api.internal.batch.BatchIsolatedLauncher.execute(
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.base/java.lang.reflect.Method.invoke(Unknown Source)
	at org.sonarsource.scanner.api.internal.IsolatedLauncherProxy.invoke(
	at com.sun.proxy.$Proxy0.execute(Unknown Source)
	at org.sonarsource.scanner.api.EmbeddedScanner.doExecute(
	at org.sonarsource.scanner.api.EmbeddedScanner.execute(
	at org.sonarsource.scanner.cli.Main.execute(
	at org.sonarsource.scanner.cli.Main.execute(
	at org.sonarsource.scanner.cli.Main.main(

What do I miss? Any advice and insight is appreciated.


First, the dependency check plugin is a 3rd-party plugin provided by the community. That’s (probably) only a side note.

What’s interesting is that it’s trying to read a report at a specific location when you apparently haven’t told it to. So the question is where that configuration is coming from. The docs give the possible sources of analysis configuration and their precedence. IIWY, I’d start looking at the global level and work my way down.

If you can’t find it anywhere, you might try dumping all your analysis parameters out to file (sonar.scanner.dumpToFile=[filename]) to make sure it’s being passed (as opposed to the plugin just assuming it’s there - not that I think that’s really likely).


Hi, I can do what you suggest but I always thought “${WORKSPACE}/dependency-check-report.xml” the default value of the configuration property. No?


There are often default paths at which plugins look for their reports, but I wouldn’t expect a plugin to set a default path that contains an environment variable (${WORKSPACE}).


Just checked the project at git:, ${WORKSPACE}/ are the default values. We have to provide the configuration values and the dependency check reports have to be present for the sonarqube scan to proceed.


Wow. Thanks for the follow up and the report. I guess you know what your workaround is (uninstalling the plugin). Have you / can you file an issue on the project?

… if this breaks analysis for projects that don’t have a report… I think I need to mark it incompatible in the Marketplace until this gets sorted out.


No, I do not uninstall this built-in plug in which comes installed with your plug in. How to do that? Yes, you should mark it as incompatible as I didn’t have any dependency report generated and your plugin just gets stuck and doesn’t continue the scanning. I will file an issue at the github project.

Hi Ann and khteh,
As you can read in the WARN output, this plugin skips the processing if no report is found. So you should not have any issues if no report is found.
The stacktrace in DEBUG output is only used for debugging and has no effect at all.
The environment variable WORKSPACE has historical reasons, because the plugin was developed in conjunction with Jenkins.
@khteh Can you provide a step by step guidance to reproduce your issue.

Hi @khteh,
it seems that you are using a very old version of the dependency-check-sonar-plugin.

You have a warning message telling you that you should check the sonar.dependencyCheck.reportPath property. This property didn’t even exist anymore.
As you can see in this commit, I changed the property before plugin version 2.0.0.

If no reports are provided, the actual output of the plugin should look like this.

[INFO] Process Dependency-Check report
[INFO] Using JSON-Reportparser
[INFO] Dependency-Check JSON report does not exists. Please check property sonar.dependencyCheck.jsonReportPath:/home/philipp/git/dependency-check-sonar-plugin/examples/single-module-maven/target/dependency-check-report.json
[INFO] JSON-Analysis skipped/aborted due to missing report file
[INFO] Using XML-Reportparser
[INFO] Dependency-Check XML report does not exists. Please check property sonar.dependencyCheck.xmlReportPath:/home/philipp/git/dependency-check-sonar-plugin/examples/single-module-maven/target/dependency-check-report.xml
[INFO] XML-Analysis skipped/aborted due to missing report file
[INFO] Dependency-Check HTML report does not exists. Please check property sonar.dependencyCheck.htmlReportPath:/home/philipp/git/dependency-check-sonar-plugin/examples/single-module-maven/target/dependency-check-report.html
[INFO] HTML-Dependency-Check report does not exist.
[INFO] Process Dependency-Check report (done) | time=24ms
[INFO] Sensor Dependency-Check [dependencycheck] (done) | time=26ms

@ganncamp As you can see in the history of the marketplace property file, I started shipping the plugin through the SonarQube marketplace after version 2.0.0. I think there is no need to mark this plugin as “incompatible”.

Hi Philipp,
This is a built-in plugin which comes installed with “sonarqube-scanner”: “^2.6.0” with npm i sonarqube-scanner CLI command. I didn’t hand-pick the version of sonarqube-scanner. I have no idea how it picks up the old version of the dependency-check plugin. Maybe this is the missing piece.


Hi @khteh,
I do not use the npm project’s sonarqube-scanner.
It seems that this project downloads and runs the normal java-based sonar-scanner.

The Java Sonar-Scanner has no pre-installed plugins. All plugins are managed by your SonarQube server. Please check the installed plugins on your SonarQube server.


No, and no.

It is not built-in, and it does not “come” with the scanner. It was installed manually by someone on your team in the SonarQube server.


1 Like

Ok. I understand better now. Thanks G Ann Campbell and Philipp.

Aaand to follow up, I’m un-delisting the plugin now.