Version and deployment details:
SonarScanner 4.6.2.2472
Sonarqube 10.0.0-developer
sonar-dependency-check 4.0.1(Sonarqube Plugin)
OWASP Dependency-Check 5.5.1(Jenkins Plugin)
Deployed as Docker
We are using SonarQube enterprise version and were testing it on a branch, which has an intentional vulnerability introduced by adding a go module dependency on an older version known to have CWE-403 and CWE-668. This is not being detected by Sonarqube. We are using dependencyCheck plugin for this purpose.
Here is the config for our pipeline:
stage('Dependency-Check') {
steps {
withCredentials([string(credentialsId: 'nvd-api-key', variable: 'NVD_API_KEY')]) {
dependencyCheck additionalArguments: '--format ALL --scan ./ --enableExperimental g ${NVD_API_KEY}', odcInstallation: 'Dependency-Check'
dependencyCheckPublisher pattern: 'dependency-check-report.xml'
}
}
}
stage('Sonarqube scan') {
when {
expression {
return (env.CHANGE_TARGET == null || env.CHANGE_TARGET.isEmpty() || !env.CHANGE_TARGET.matches('^release/.*'))
}
}
steps {
withSonarQubeEnv('sonarqube-test') {
sh '/opt/sonar-scanner/bin/sonar-scanner'
}
script {
sleep 60
}
}
}
Sonarqube properties:
sonar.projectKey=<removed>
sonar.projectName=<removed>
sonar.host.url=<removed>
sonar.sources=./
sonar.language=go
sonar.exclusions=**/dependency-check-report.html,**/dependency-check-report.xml,**/dependency-check-report.json,**/dependency-check-jenkins.html,**/dependency-check-junit.xml
sonar.dependencyCheck.htmlReportPath=./dependency-check-report.html
sonar.dependencyCheck.jsonReportPath=./dependency-check-report.json
sonar.dependencyCheck.reportPath=dependency-check-report.xml
sonar.dependencyCheck.securityHotspot=true
I suspect we are missing something in the configuration otherwise SonarQube should be able to catch these vulnerabilities. Can someone help us out please? Thank you.