SonarQube dependency-check analysis does not match DependencyTrack results

Must-share information (formatted with Markdown):

  • which versions are you using? (SonarQube 8.9.0-DE , Scanner 3.3 gradle Plugin)
  • what are you trying to achieve? Analysis of java project. Recently learned of Sonarqube dependency-check plugin and wished to include analysis results already being sent to DependencyTrack server for display.
  • what have you tried so far to achieve this? Added analysis parameter to project configuration: sonar.dependencyCheck.jsonReportPath=./build/reports/bom.json but results are not included in project status page:
    Compare to DependencyTrack view

Hi Mark,
The dependency-check analyzer is not developed by SonarSource so hopefully its authors see your post.
One thing I suggest you check is whether the files where the issues should be located are being analyzed and showing up in the “Code” tab. Also check in the scanner logs (debug enabled) if the analyzer’s Sensor is running.

I’ve been advised that our team will be focused exclusively on the results of Cyclonedx scanner.