SonarQube dependency-check analysis does not match DependencyTrack results

SonarQube
1

Must-share information (formatted with Markdown):

  • which versions are you using? (SonarQube 8.9.0-DE , Scanner 3.3 gradle Plugin)
  • what are you trying to achieve? Analysis of java project. Recently learned of Sonarqube dependency-check plugin and wished to include analysis results already being sent to DependencyTrack server for display.
  • what have you tried so far to achieve this? Added analysis parameter to project configuration: sonar.dependencyCheck.jsonReportPath=./build/reports/bom.json but results are not included in project status page:
    Screen Shot 2021-09-03 at 10.41.39 AM
    Screen Shot 2021-09-03 at 10.41.39 AM2732×1516 235 KB

    Compare to DependencyTrack view
    Screen Shot 2021-09-03 at 10.40.44 AM
    Screen Shot 2021-09-03 at 10.40.44 AM3206×356 49.8 KB
2

Hi Mark,
The dependency-check analyzer is not developed by SonarSource so hopefully its authors see your post.
One thing I suggest you check is whether the files where the issues should be located are being analyzed and showing up in the “Code” tab. Also check in the scanner logs (debug enabled) if the analyzer’s Sensor is running.

3

I’ve been advised that our team will be focused exclusively on the results of Cyclonedx scanner.