Sonar scanner maven not creating security hotspots out of dependency-check report

Hi there,

we have used the maven sonar plugin to show security hotspots out of dependency-check reports in Sonarqube. It worked perfekt with reports generated with dependency-check-Version 8.x

After updating dependency-check to version 9, security hotspots are not shown in sonarqube anymore. It looks to me, that the dependency-check-Report generated by version 9 is not read correctly.

Are there any known issues about this or am I doing something wrong.

Working szenario
Version dependency-check: 8.2.1
Sonar-Maven-Plugin: 4.0.0.4121
SonarQube: Community Edition 10.1

NOT working scenario
Version dependency-check: 9.0.7
Sonar-Maven-Plugin: 4.0.0.4121
SonarQube: Community Edition 10.1

What I have seen is, that depedency-check reports out of version 8.x contain cvss2 informations while reports out of version 9.x only contain cvss3 informations. May this be the reason?

Thanks in advance,
Dirk

Hey there.

I suggest raising an issue with GitHub - dependency-check/dependency-check-sonar-plugin: Integrates Dependency-Check reports into SonarQube, the maintainers of the dependency-check plugin.

Hey there, I’m not sure if this is the right approach.
What I’m doing is calling mvn sonar:sonar providing a dependency-check-report.json like this

mvn verify sonar:sonar -Dsonar.dependencyCheck.jsonReportPath=dependency-check-report.json

and my question is, if the sonar-plugin is able to read dependency-check-reports out of version 9.x and categorizing security hotspots.

You’re gonna have to ask the maintainer of that plugin, who handles that integration, at the GitHub repo I linked.

OK, I’ll try this. Thank you.