Hi Sonar Cloud Community,
Does anyone know if SCA viewing is already available in Sonar Cloud? I know it’s available as a plugin in SonarQube but I couldn’t force my Sonar Cloud to display the Dependency Check JSON Vulnerabilities report.
In the logs and the artifacts, I see the reports are properly generated and have a few vulnerabilities.
Part of the script responsible for creating reports and sending them to SonarCloud:
- step: &build
name: Build and Test
caches:
- maven
- nvd # New cache for NVD data
- sonar
script:
# Download NVD data only if the cache is empty
- if [ ! -d ~/.dependency-check/nvdcache ]; then mvn org.owasp:dependency-check-maven:update-only; fi
- # Run dependency check with NVD data from cache
- mvn -B clean jacoco:prepare-agent verify -Dspring.profiles.active=it -Ddependency-check.skip=false jacoco:report
- mvn -B org.owasp:dependency-check-maven:check -DnvdApiKey=$NVDAPIKEY -DfailBuildOnCVSS=11
- mvn -B org.sonarsource.scanner.maven:sonar-maven-plugin:sonar
-Dsonar.dependencyCheck.summarize=true
-Dsonar.dependencyCheck.jsonReportPath=target/dependency-check-report.json
-Dsonar.dependencyCheck.xmlReportPath=target/dependency-check-report.xml
-Dsonar.dependencyCheck.htmlReportPath=target/dependency-check-report.html
- ALM used Bitbucket
- CI system used Bitbucket Cloud
- Scanner command used when applicable (private details masked)
- Languages of the repository - Java