Npm audit results in SonarCloud

Template for a good new topic, formatted with Markdown:

  • Bitbucket Cloud
  • AWS Codepipline for CI
  • Language: Javascript React/Node

We’ve connected a React/Node project to SonarCloud.

I’d like to import the results from npm audit as issues in SonarCloud.

I am using the following command to generate both a JSON and HTML report of dependency issues returned from the ‘npm audit’ command.

npm audit --json > ./coverage/npm-audit.json && ./node_modules/.bin/npm-audit-html --input ./coverage/npm-audit.json --output ./coverage/npm-audit.html

In the docs, I found a reference to the following sonar project properties…

sonar.dependencyCheck.jsonReportPath=coverage/npm-audit.json
sonar.dependencyCheck.htmlReportPath=coverage/npm-audit.html

These may just be for Java projects though. How do we confirm that dependency analysis issues are making their way into our SonarCloud instance? If they aren’t, what’s the best way to do so?

Hey there.

SonarCloud does not accept Dependency Check Reports (in SonarQube, a community-supported plugin that accomplishes this, which is not available on SonarCloud).

For the most part, we really leave any sort of SCA (Software Component Analysis) to those who do it best (like our friends at Snyk or WhiteSource), while our focus in static analysis.

If you really wanted to get these results in SonarCloud somehow, you could try converting the reports to Generic Issue Data.

Thank you, this is very helpful. Are the generic issues tracked across scans, or would importing the output of two npm audit scans run at different times with no changes inbetween result in duplicates?

Jordan