Hi Sonar Community,
we are working on CI/CD for iOS projects and we have already integrated SonarCloud in our pipelines but wanted to integrate OWASP Dependency Check too. We already have a solution for that integration but we wanted to go a bit further and integrate OWASP Dependency Check reports with SonarCloud. Cause there is no OWASP Dependency Check plugin for SonarCloud, we are trying to make a workaround by ourselves to at least import an External Report using Generic Issue Data. We are building a Report File following the Generic Issue Data format but the problem comes with the property filePath.
We have noticed 2 restrictions from SonarScanner:
- The path has to point to a file that SonarScanner can find
- The file pointed by that path needs to be modified to allow SonarCloud dashboard to show the issue
The problem is, if we want to report an issue on a Swift Package Manager dependency, we think that filePath should point to Package.resolved which is inside MyProject.xcodeproj but SonarScanner can not find MyProject.xcodeproj, so it won’t show the issue on SonnarCloud Dashboard.
We would have some questions:
- Is there any possibility that SonnarScanner finds MyProject.xcodeproj?
- Is there any option to force SonnarCloud to show all the issues, even without modifying any file?
- Can we just show issues without sending filePath property?
- Is there any other possibility for the OWASP Dependency Check integration with SonarCloud?
This is a part of the logs:
DEBUG: Importing issues from 'sonar_reports/dependency-check-report.json'
INFO: Imported 0 issues in 0 files
INFO: External issues ignored for 1 unknown files, including: MyProject.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved
The path is correct cause it has worked for another path at the same level of MyProject.xcodeproj
This is dependency-check-report.json:
{
"issues": [
{
"engineId": "DependencyCheck",
"ruleId": "CVE-2015-3996",
"severity": "MAJOR",
"type": "VULNERABILITY",
"primaryLocation": {
"message": "AFNetworking/NSURLConnection:2.5.2:\nThe default AFSecurityPolicy.validatesDomainName configuration for AFSSLPinningModeNone in the AFNetworking framework before 2.5.3, as used in the ownCloud iOS Library, disables verification of a server hostname against the domain name in the subject's Common Name (CN) of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.\nhttps://github.com/AFNetworking/AFNetworking/releases/tag/2.5.3\nhttp://www.securityfocus.com/bid/76242\nhttps://github.com/AFNetworking/AFNetworking/issues/2619\nhttps://owncloud.org/security/advisory/?id=oc-sa-2015-012",
"filePath": "MyProject.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved"
}
}
]
}
Another small question: Is there any way to add line breaks to message?
I hope that my problem is clear, let me know if you need more information. Sorry for the size of the post!
Thank you so much