Npm audit results in SonarCloud

Template for a good new topic, formatted with Markdown:

• Bitbucket Cloud
• AWS Codepipline for CI
• Language: Javascript React/Node

We’ve connected a React/Node project to SonarCloud.

I’d like to import the results from npm audit as issues in SonarCloud.

I am using the following command to generate both a JSON and HTML report of dependency issues returned from the ‘npm audit’ command.

npm audit --json > ./coverage/npm-audit.json && ./node_modules/.bin/npm-audit-html --input ./coverage/npm-audit.json --output ./coverage/npm-audit.html

In the docs, I found a reference to the following sonar project properties…

sonar.dependencyCheck.jsonReportPath=coverage/npm-audit.json
sonar.dependencyCheck.htmlReportPath=coverage/npm-audit.html

These may just be for Java projects though. How do we confirm that dependency analysis issues are making their way into our SonarCloud instance? If they aren’t, what’s the best way to do so?

Hey there.

SonarCloud does not accept Dependency Check Reports (in SonarQube, a community-supported plugin that accomplishes this, which is not available on SonarCloud).

For the most part, we really leave any sort of SCA (Software Component Analysis) to those who do it best (like our friends at Snyk or WhiteSource), while our focus in static analysis.

If you really wanted to get these results in SonarCloud somehow, you could try converting the reports to Generic Issue Data.

Thank you, this is very helpful. Are the generic issues tracked across scans, or would importing the output of two npm audit scans run at different times with no changes inbetween result in duplicates?

Jordan

I built out a solution - but it ain’t pretty:
you use jq to convert the npm audit json to custom metric data (using ‘dist’ as a working space that’s .gitignored):
npm audit --json | jq --argfile lookups dist/lookups.json -f dist/jqfilter.json > dist/npmaudit-sonar.json

contents of jq filter.json:
{ issues : [ .vulnerabilities | to_entries[] | {engineId: "npmaudit", ruleId: "npmaudit", type: "BUG", severity: ($lookups[.value.severity]), primaryLocation: {message: .value.name,"filePath":"package.json"}} ]}

contents of lookups.json:
{"moderate":"MINOR","high":"MAJOR","critical":"CRITICAL","low":"INFO","info":"INFO","none":"INFO"}

then at scan time you add:
-Dsonar.externalIssuesReportPaths=dist/npmaudit-sonar.json

I did say it wasn’t pretty …

@Bonespike I’m trying this now. Is the formatting of jqfilter.json above correct? My ide is complaining that its not valid JSON. When I run the npm command, I get “jq: error (at :1082): null (null) has no keys”.

Hello from the future!

We recently announced SonarQube Advanced Security, which will include SCA capabilities. While it’s not available yet, we expect general availability for SonarQube Server in May 2025, and SonarQube Cloud Enterprise shortly after.

Please see this announcement for more details.