Dear sonar community,
We have recently introduced GitHub - dependency-check/dependency-check-sonar-plugin: Integrates Dependency-Check reports into SonarQube
We have done so in a .NET project, doing some tests we have observed than when introducing a new vulnerability detected by owasp dependency scanner this is not associated to new code, in fact the relevant csproj where the vulnerable dependency has been added is not show in code tab.
Hence this vulnerability is only displayed in the overall section but not linked to any file or line of code.
Ideally we would like to prevent QG for MR to be passed when a new vulnerability raised by the owasp dependency check is detected.
Am I missing something, or this is not possible nowadays?
Thanks in advance.
Raising these as specific issues (referencing a file and line) is a feature request best targeted at the maintainers of this plugin.
Thank you Collin for your response, I have been able to run the same test with a maven project and new vulnerabilities added are properly raised in MR referring to the relevant lines in pom.xml
So I guess the issue is that csproj file is not being included, Is it possible to analyze csproj files and have them included as part of the code? If so, could you please let me know how to do it?, they don’t appear in the code section.
When using the Scanner for .NET (which you need to do to analyze C# code), the
.csproj doesn’t get included in the analysis (even if you include it as a suffix for XML files) due to how the scanner indexes files.
And I’m still not sure that if we did index the file, it would get attached to the file line by the OWASP dependency check plugin. You might want to check with the maintainer on that, and they might be best suited to raise a request to get that file indexed.