Sonar Configuration for multi-module project with OWASP dependency check report included

shivdewangan · September 20, 2018, 4:55pm

Hi,

I’ve multi module project setup. Since no Jenkins/Maven setup for my project I use CLI to get the dependency report for each module separately and copied them to root project folder named as per the their module

For example

D: MyProject
 --module1
    --src
 --module2
    --src

--dependency-check-module1-report
    --dependency-check-report (XML)
    --dependency-check-report (HTML)
--dependency-check-module2-report
    --dependency-check-report (XML)
    --dependency-check-report (HTML)

I’ve explicitly mentioned the module wise report path in sonar-project.properties file

        #----- Default SonarQube server
        sonar.host.url=http://localhost:9000

        # Root project information
        sonar.projectKey=MyProject
        sonar.projectName=MyProject
        sonar.projectVersion=1.0

        # Some properties that will be inherited by the modules
        sonar.sources=src
        sonar.language=java
        sonar.java.binaries=src
        sonar.java.libraries=src

        # List of the module identifiers
        sonar.modules=module1,module2

        # Properties can obviously be overriden for each module - just prefix them with the module ID
        #module1.sonar.projectName=MyProject-module1
        #module2.sonar.projectName=MyProject-module2

        # Encoding of the source files
        sonar.sourceEncoding=UTF-8

    module1.sonar.dependencyCheck.reportPath=D:\MyProject\dependency-check-module1-report\dependency-check-report.xml
    module1.sonar.dependencyCheck.htmlReportPath=D:\MyProject\dependency-check-module1-report\dependency-check-report.html
    module2.sonar.dependencyCheck.reportPath=D:\MyProject\dependency-check-module2-report\dependency-check-report.xml
    module2.sonar.dependencyCheck.htmlReportPath=D:\MyProject\dependency-check-module2-report\dependency-check-report.html

sonar-scanner run fine but skip to pick up the dependency check as It always check ${WORKSPACE}/dependency-check-report.html which is defined in sonarQube dashboard->Configuraiton->Dependency-Check

In Dashboard I can mentioned report file for only one of the module but I need both module reports to be integrated in SonarQube scan result.

17:53:06.825 INFO: Sensor Dependency-Check [dependencycheck]
17:53:06.825 INFO: Process Dependency-Check report
17:53:06.840 WARN: Dependency-Check report does not exist. SKIPPING. Please check property sonar.dependencyCheck.reportPath: ${WORKSPACE}/dependency-check-report.xml
17:53:06.840 DEBUG: Analysis aborted due to missing report file
java.io.FileNotFoundException: Dependency-Check report does not exist.
        at org.sonar.dependencycheck.parser.XmlReportFile.getInputStream(XmlReportFile.java:82)
        at org.sonar.dependencycheck.DependencyCheckSensor.parseAnalysis(DependencyCheckSensor.java:173)
        at org.sonar.dependencycheck.DependencyCheckSensor.execute(DependencyCheckSensor.java:227)
        at org.sonar.scanner.sensor.SensorWrapper.analyse(SensorWrapper.java:53)
        at org.sonar.scanner.phases.SensorsExecutor.executeSensor(SensorsExecutor.java:88)
        at org.sonar.scanner.phases.SensorsExecutor.execute(SensorsExecutor.java:82)
        at org.sonar.scanner.phases.SensorsExecutor.execute(SensorsExecutor.java:68)
        at org.sonar.scanner.phases.AbstractPhaseExecutor.execute(AbstractPhaseExecutor.java:88)
        at org.sonar.scanner.scan.ModuleScanContainer.doAfterStart(ModuleScanContainer.java:177)
        at org.sonar.core.platform.ComponentContainer.startComponents(ComponentContainer.java:135)
        at org.sonar.core.platform.ComponentContainer.execute(ComponentContainer.java:121)
        at org.sonar.scanner.scan.ProjectScanContainer.scan(ProjectScanContainer.java:291)
        at org.sonar.scanner.scan.ProjectScanContainer.scanRecursively(ProjectScanContainer.java:286)
        at org.sonar.scanner.scan.ProjectScanContainer.doAfterStart(ProjectScanContainer.java:264)
        at org.sonar.core.platform.ComponentContainer.startComponents(ComponentContainer.java:135)
        at org.sonar.core.platform.ComponentContainer.execute(ComponentContainer.java:121)
        at org.sonar.scanner.task.ScanTask.execute(ScanTask.java:48)
        at org.sonar.scanner.task.TaskContainer.doAfterStart(TaskContainer.java:84)
        at org.sonar.core.platform.ComponentContainer.startComponents(ComponentContainer.java:135)
        at org.sonar.core.platform.ComponentContainer.execute(ComponentContainer.java:121)
        at org.sonar.scanner.bootstrap.GlobalContainer.executeTask(GlobalContainer.java:121)
        at org.sonar.batch.bootstrapper.Batch.doExecuteTask(Batch.java:116)
        at org.sonar.batch.bootstrapper.Batch.execute(Batch.java:71)
        at org.sonarsource.scanner.api.internal.batch.BatchIsolatedLauncher.execute(BatchIsolatedLauncher.java:46)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
        at java.lang.reflect.Method.invoke(Unknown Source)
        at org.sonarsource.scanner.api.internal.IsolatedLauncherProxy.invoke(IsolatedLauncherProxy.java:60)
        at com.sun.proxy.$Proxy0.execute(Unknown Source)
        at org.sonarsource.scanner.api.EmbeddedScanner.doExecute(EmbeddedScanner.java:171)
        at org.sonarsource.scanner.api.EmbeddedScanner.execute(EmbeddedScanner.java:128)
        at org.sonarsource.scanner.cli.Main.execute(Main.java:111)
        at org.sonarsource.scanner.cli.Main.execute(Main.java:75)
        at org.sonarsource.scanner.cli.Main.main(Main.java:61)

17:53:06.856 INFO: Process Dependency-Check report (done) | time=31ms
17:53:06.856 WARN: Dependency-Check report does not exist. SKIPPING. Please check property sonar.dependencyCheck.reportPath: ${WORKSPACE}/dependency-check-report.html
17:53:06.856 INFO: Sensor Dependency-Check [dependencycheck] (done) | time=31ms
17:53:06.856 INFO: Sensor SonarJavaXmlFileSensor [java]
17:53:06.856 INFO: Sensor SonarJavaXmlFileSensor [java] (done) | time=0ms

Is there any way to tell sonar-scanner not to check the dependency report path mentioned in sonarQube-Dashboard but check the sonar-project.properties

fyi, I an using sonarqube-6.7.5 sonar-dependency-check-plugin-1.1.1 sonar-java-plugin-5.7.0.15470 sonar-scanner-3.2.0.1227

Thanks in advance for clue.

ganncamp · September 20, 2018, 5:03pm

Hi,

I guess you’re using this plugin: https://github.com/stevespringett/dependency-check-sonar-plugin …? If so, you should probably direct your questions to that project.

That said, it sounds like you’re dealing with a Maven project(?) and running a Maven analysis(?). If so, your analysis will never look at sonar-project.properties. That’s not how Maven analysis works. Instead you should feed your extra properties in either on the command line or as properties in your pom (docs here).

Beyond that, it sounds rather fishy to me that you’re generating module reports and then moving them to a central location. I would expect them to be picked up in their default Maven locations in each module. But that really is a question to direct to the community for that plugin.

Ann

shivdewangan · September 21, 2018, 8:45am

We are not using Maven in our project at moment rather executing everything on command line. I’ll check with the project team if any option available to enforce this without using Maven or Jenkins.

Thanks.

agabrys · September 22, 2018, 6:58pm