Scans not including maven pom.xml dependency


(Coupacoupa) #1

Hello, I am using

  • sonarqube-7.4, sonar scanner 3.2.0.1227, maven 3.6.0

I want to do a dependency scan to check if my external dependencies in maven’s pom.xml have any vulnerabilies (CVE)

My runs have finished and the pom.xml is also included in the scans (Number of lines 187) but the dependencies in it isn’t detected at all (Vulnerabilities detected if using OWASP/OSSI scans)

I have tried alot of commands but all gave the same results:
-mvn sonar:sonar -Dsonar.host.url=http://localhost:9000 -Dsonar.login=abc-Dsonar.import_unknown_files=true
-mvn verify sonar:sonar

As this is my first time using sonarQube, if I missed out any important information, do let me know