Problems importing OWASP Dependency Check results into Sonarcloud's extenal analyser

wcheung-bhf · September 28, 2023, 3:21pm

ALM used (GitHub)
CI system used (Azure DevOps)
Scanner command used when applicable (SonarCloudAnalyze@1)
Languages of the repository (C#)

I’ve been attempting to run ‘OWASP Dependency Check’ in my build pipeline and then importing that into Sonarcloud but I have been running into issues when attempting to do that.

These are the steps I’ve used in attempting to do this:

I’ve run the ‘OWASP Dependency Check’ task in my pipeline and this has highlighted a number of vulnerabilities in the libraries that we are using.

I’ve converted one of those vulnerabilities in a generic format json file which the external analyser accepts.
i.e.

      {
        "rules": [
          {
            "ruleId": "CVE-2022-30187",
            "name": "just_some_rule_name",
            "description": "Azure Storage Library Information Disclosure Vulnerability\n\nSonatype''s research suggests that this CVE''s details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2022-30187 for details",
            "engineId": "DependencyCheck",
            "cleanCodeAttribute": "FORMATTED",
            "impacts": [
              {
                "softwareQuality": "SECURITY",
                "severity": "MEDIUM"
              }
            ],
            "issues": [
              {
                "primaryLocation": {
                  "message": "fix the issue here",
                  "filePath": "D:/a/1/s/Source/XXX.Flow.Web/XXX.Flow.Web.csproj"
                }
              }
            ]
          }
        ]
      }

However, when the SonarCloudAnalyze@1 task is run, the scanner is not able to find csproj file.

INFO: ------------- Run sensors on module XXX.Flow.Web
INFO: Sensor Import external issues report
INFO: Imported 0 issues in 0 files for ruleId 'CVE-2022-30187'
INFO: External issues for ruleId 'CVE-2022-30187' ignored for 1 unknown files, including: D:/a/1/s/Source/XXX.Flow.Web/XXX.Flow.Web.csproj
INFO: Sensor Import external issues report (done) | time=5ms

If I change the filePath to another file in the same directory, e.g. “D:/a/1/s/Source/XXX.Flow.Web/Web.config”
then it does get found.

INFO: ------------- Run sensors on module XXX.Flow.Web
INFO: Sensor Import external issues report
INFO: Imported 1 issue in 1 file for ruleId 'CVE-2022-30187'
INFO: Sensor Import external issues report (done) | time=20ms

If I try changing the filePath to the directory, e.g. “D:/a/1/s/Source/XXX.Flow.Web/”
then it also fails to get found.

INFO: ------------- Run sensors on module XXX.Flow.Web
INFO: Sensor Import external issues report
INFO: Imported 0 issues in 0 files for ruleId 'CVE-2022-30187'
INFO: External issues for ruleId 'CVE-2022-30187' ignored for 1 unknown files, including: D:/a/1/s/Source/XXX.Flow.Web/

So my problem is how can I get the external analyser in SonarCloud to import my issues from the OWASP Dependency Check report when it doesn’t recognise the csproj files that the dependency check report is identifying as having vulnerabilities.
I am unable to use the directory where the csproj file is located as the filePath for the external issue, and I do not have a consistent file in all the projects which I could use to attack the issue to.

ganncamp · September 29, 2023, 4:52pm

Hi,

This is happening because we don’t include .*proj files in .NET analysis.

However… project files are XML. Try editing your XML file extensions (Administration → General Settings → Languages → XML → File suffixes) to add .csproj. That should get it included in the analysis so that your issues will have somewhere to ‘attach’.

HTH,
Ann

wcheung-bhf · October 2, 2023, 12:48pm

Hi Ann
Thanks for your response.

I tried adding .csproj to the XML file suffices but that didn’t work.
I experimented a bit with different XML files and found that if I just created a new dummy.xml, it wouldn’t be found. But if I added that dummy.xml to the project then it would get scanned and found during the analysis.
However, that doesn’t help getting it to select the csproj files.

ganncamp · October 2, 2023, 12:56pm

Hi,

Is this an SDK-style project or an older-style one? Per the docs, all files in an SDK-style project should be picked up automatically. For older-style projects, you may need to get a little recursive:

More specifically, any files included by an element of one of the ItemTypes in this list will be analyzed automatically. For example, the following line in your .csproj or .vbproj file
<Content Include="foo\bar\*.js" />
will enable the analysis of all JS files in the directory foo\bar because Content is one of the ItemTypes whose includes are automatically analyzed.

Which means listing your .csproj file… in your .csproj file. No idea, TBH, whether or not that would make .NET swallow its tail…

Ann

wcheung-bhf · October 11, 2023, 3:05pm

While adding a reference to to the csproj within the csproj file does work, we found a more elegant solution by adding the following to the Directory.Build.props file which is used in our project.

  <!-- Customize Sonar Cloud to include OWASP scan results -->
  <ItemGroup>
    <AdditionalFilesToAnalyzeBySonarCloud Include="$(MSBuildProjectFullPath)"></AdditionalFilesToAnalyzeBySonarCloud>
  </ItemGroup>
  <PropertyGroup>
    <SQAdditionalAnalysisFileItemTypes>AdditionalFilesToAnalyzeBySonarCloud;$(SQAdditionalAnalysisFileItemTypes)</SQAdditionalAnalysisFileItemTypes>
  </PropertyGroup>

system · October 30, 2023, 4:19pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.