[Quality Gates] : Owasp Dependency check

SonarQube Server / Community Build
1

Hi all,

I use SonarQube 9.9.1 LTS with dependency-check plugin version 4.0

I set the following dependency-check quality gates on “Overall code”

"Critical Severity Vulnerabilities is greater than 0 "

image
image1074×794 59.5 KB

The quality gates fails with the following message :

image
image706×218 7.64 KB

Issue : There is 0 critical vulnerability in dependency-check report

When clic on the finding, we have the following :

image
image2204×520 69.4 KB

Question : How to explain this since there is not any critical in dependency-check report and sonarqube is supposed to aggregate this report ?

2

Hi

Welcome to the community!

Unfortunately, that ‘Critical Security Vulnerabilities’ metric is provided and populated by Dependency Check, rather than by SonarQube itself. So you’ll need to ask the Dependency Check maintainers about it.

 
:woman_shrugging:
Ann

3

hi all,

Found the answer,

You were right Ann, this is a dependency-check related issue,

Detailed answer here : [Quality Gates] : Owasp Dependency check · Issue #873 · dependency-check/dependency-check-sonar-plugin · GitHub

1 Like