SonarCloud: OWASP Dependency Check and Generic Issue Data

Hi Sonar Community,

we are working on CI/CD for iOS projects and we have already integrated SonarCloud in our pipelines but wanted to integrate OWASP Dependency Check too. We already have a solution for that integration but we wanted to go a bit further and integrate OWASP Dependency Check reports with SonarCloud. Cause there is no OWASP Dependency Check plugin for SonarCloud, we are trying to make a workaround by ourselves to at least import an External Report using Generic Issue Data. We are building a Report File following the Generic Issue Data format but the problem comes with the property filePath.

We have noticed 2 restrictions from SonarScanner:

• The path has to point to a file that SonarScanner can find
• The file pointed by that path needs to be modified to allow SonarCloud dashboard to show the issue

The problem is, if we want to report an issue on a Swift Package Manager dependency, we think that filePath should point to Package.resolved which is inside MyProject.xcodeproj but SonarScanner can not find MyProject.xcodeproj, so it won’t show the issue on SonnarCloud Dashboard.

We would have some questions:

• Is there any possibility that SonnarScanner finds MyProject.xcodeproj?
• Is there any option to force SonnarCloud to show all the issues, even without modifying any file?
• Can we just show issues without sending filePath property?
• Is there any other possibility for the OWASP Dependency Check integration with SonarCloud?

This is a part of the logs:

DEBUG: Importing issues from 'sonar_reports/dependency-check-report.json'
INFO: Imported 0 issues in 0 files
INFO: External issues ignored for 1 unknown files, including: MyProject.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved

The path is correct cause it has worked for another path at the same level of MyProject.xcodeproj

This is dependency-check-report.json:

{
  "issues": [
    {
      "engineId": "DependencyCheck",
      "ruleId": "CVE-2015-3996",
      "severity": "MAJOR",
      "type": "VULNERABILITY",
      "primaryLocation": {
        "message": "AFNetworking/NSURLConnection:2.5.2:\nThe default AFSecurityPolicy.validatesDomainName configuration for AFSSLPinningModeNone in the AFNetworking framework before 2.5.3, as used in the ownCloud iOS Library, disables verification of a server hostname against the domain name in the subject's Common Name (CN) of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.\nhttps://github.com/AFNetworking/AFNetworking/releases/tag/2.5.3\nhttp://www.securityfocus.com/bid/76242\nhttps://github.com/AFNetworking/AFNetworking/issues/2619\nhttps://owncloud.org/security/advisory/?id=oc-sa-2015-012",
        "filePath": "MyProject.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved"
      }
    }
  ]
}

Another small question: Is there any way to add line breaks to message?

I hope that my problem is clear, let me know if you need more information. Sorry for the size of the post!

Thank you so much

Hi,

Welcome to the community!

Please don’t apologize! We appreciate the detail!

I don’t think there is. It’s possible that <br/> would work, but I wouldn’t hold my breath.

Now, on to the main topic:

The scanner only “finds” files that we need for analysis / know how to analyze. So it’s not going to pick up *.xcodeproj until & unless we have rules to check on it.

Well… yes. You only need modified files in a PR context. If you’re analyzing a branch, everything should show up.

No. SonarCloud has to have somewhere to “attach” the issues to. But… have you tried giving a directory path? I think that should work.

 
HTH,
Ann

Hi Ann,

thank you for your answers. Our idea was to be able to run a pipeline to check the status of the project, including vulnerabilities and we thought that SonarCloud dashboard could be a good option to show all the issues detected by that pipeline.
We have changed AppDelegate file to test but it seems that passing a directory path is not working:

"filePath": "MyProject/" // even without "/"

this works:

"filePath": "MyProject/App/AppDelegate.swift"

So we see 2 problems for us here:

• If we want to show any vulnerability in SonarCloud dashboard, we have to attach it to a modified file, even if that file has nothing to do with the vulnerability because, in our case, it would be a dependency vulnerability and we can not use Package.resolved or Podfile.lock.
• We think we can not use a regularly scheduled pipeline to show detected dependency vulnerabilities in Develop branch in SonarCloud dashboard because we will need modified files, right? Even if we have merged some branches into Develop between pipeline runs?

Do you have any other suggestion to guide us? Is there maybe another Report File Format that allow us to just show just a “message” as issue in SonarCloud dashboard?

We will investigate further other possibilities too.

Again, thank you for your help and have a nice day.

Hi,

Again, you don’t need modified files. Analyze a long-lived branch, and everything will show up.

 
HTH,
Ann

Ah ok, we were testing in a short-lived branch and there we are having the problem that the “filePath” property has to be the path for a modified file. We will check what is happening in develop.
Thank you!