Security Hotspots report broken after importing issues from OWASP dependency check

This is not happening to everyone so I suspect it has something to do with the data in the violations being raised.

Environment:

  • SonarQube 8.3.1 Enterprise Edition
  • Dependency Check plugin 2.0.5

Steps to reproduce:

  • Enable “When enabled all SonarQube issues are flagged as Security-Hotspot.” in General Settings
  • Generate XML report using OWASP dependency check plugin
  • Import report to SonarQube
  • Go to project “Security Hotspots” tab

Expected:
Issues are listed

Actual:
Issues are listed for a millisecond, then an error happens and the page shows: “The request cannot be processed. Try again later.”

As can be seen in the screenshot there is some undefined variable “textRange”. Could this be set to some default value by SonarQube to avoid this problem? Or is the community plugin doing something wrong?

FYI, the issue has also been reported in the community github project: https://github.com/dependency-check/dependency-check-sonar-plugin/issues/270

The root cause was that the build.gradle files were not included in sonar.sources.
Making sure that build.gradle is included solves the problem.

For further details, see: