[Quality Gates] : Owasp Dependency check

Hi all,

I use SonarQube 9.9.1 LTS with dependency-check plugin version 4.0

I set the following dependency-check quality gates on “Overall code”

"Critical Severity Vulnerabilities is greater than 0 "

The quality gates fails with the following message :

Issue : There is 0 critical vulnerability in dependency-check report

When clic on the finding, we have the following :

Question : How to explain this since there is not any critical in dependency-check report and sonarqube is supposed to aggregate this report ?


Welcome to the community!

Unfortunately, that ‘Critical Security Vulnerabilities’ metric is provided and populated by Dependency Check, rather than by SonarQube itself. So you’ll need to ask the Dependency Check maintainers about it.


hi all,

Found the answer,

You were right Ann, this is a dependency-check related issue,

Detailed answer here : [Quality Gates] : Owasp Dependency check · Issue #873 · dependency-check/dependency-check-sonar-plugin · GitHub

1 Like