- ALM used (GitHub)
- CI system used (Azure DevOps)
- Scanner command used when applicable (SonarCloudAnalyze@1)
- Languages of the repository (C#)
I’ve been attempting to run ‘OWASP Dependency Check’ in my build pipeline and then importing that into Sonarcloud but I have been running into issues when attempting to do that.
These are the steps I’ve used in attempting to do this:
I’ve run the ‘OWASP Dependency Check’ task in my pipeline and this has highlighted a number of vulnerabilities in the libraries that we are using.
I’ve converted one of those vulnerabilities in a generic format json file which the external analyser accepts.
i.e.
{
"rules": [
{
"ruleId": "CVE-2022-30187",
"name": "just_some_rule_name",
"description": "Azure Storage Library Information Disclosure Vulnerability\n\nSonatype''s research suggests that this CVE''s details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2022-30187 for details",
"engineId": "DependencyCheck",
"cleanCodeAttribute": "FORMATTED",
"impacts": [
{
"softwareQuality": "SECURITY",
"severity": "MEDIUM"
}
],
"issues": [
{
"primaryLocation": {
"message": "fix the issue here",
"filePath": "D:/a/1/s/Source/XXX.Flow.Web/XXX.Flow.Web.csproj"
}
}
]
}
]
}
However, when the SonarCloudAnalyze@1 task is run, the scanner is not able to find csproj file.
INFO: ------------- Run sensors on module XXX.Flow.Web
INFO: Sensor Import external issues report
INFO: Imported 0 issues in 0 files for ruleId 'CVE-2022-30187'
INFO: External issues for ruleId 'CVE-2022-30187' ignored for 1 unknown files, including: D:/a/1/s/Source/XXX.Flow.Web/XXX.Flow.Web.csproj
INFO: Sensor Import external issues report (done) | time=5ms
If I change the filePath to another file in the same directory, e.g. “D:/a/1/s/Source/XXX.Flow.Web/Web.config”
then it does get found.
INFO: ------------- Run sensors on module XXX.Flow.Web
INFO: Sensor Import external issues report
INFO: Imported 1 issue in 1 file for ruleId 'CVE-2022-30187'
INFO: Sensor Import external issues report (done) | time=20ms
If I try changing the filePath to the directory, e.g. “D:/a/1/s/Source/XXX.Flow.Web/”
then it also fails to get found.
INFO: ------------- Run sensors on module XXX.Flow.Web
INFO: Sensor Import external issues report
INFO: Imported 0 issues in 0 files for ruleId 'CVE-2022-30187'
INFO: External issues for ruleId 'CVE-2022-30187' ignored for 1 unknown files, including: D:/a/1/s/Source/XXX.Flow.Web/
So my problem is how can I get the external analyser in SonarCloud to import my issues from the OWASP Dependency Check report when it doesn’t recognise the csproj files that the dependency check report is identifying as having vulnerabilities.
I am unable to use the directory where the csproj file is located as the filePath for the external issue, and I do not have a consistent file in all the projects which I could use to attack the issue to.