SonarQube Developer Edition;Dependency-Check integration with Bitbucket Pipeline; javaScript project

Hello,
We are looking for some help with SonarQube configuration. We are using SonarQube Developer edition(v10.6 (92116)[ACTIVE]) and we are trying to integrate it with Bitbucket CI/CD pipeline.

So far we have the project imported into sonarQube and the pipeline setup for code scan and it runs successfully. (using sonarsource/sonar-scanner-cli:10.0 docker image in the bitbucket pipeline following this ). Also, Dependency-Check(5.0.0) is already added as a plugin on SonarQube.

The problem we are facing is to get the dependency-check working with our javaScript project. The main thing that we want out of the Dependency-Check is to catch known vulnerabilities present in our code and the npm pakages that we are using in our project, similar to how we would get with Snyk scanning. But the dependency-check results are neither showing up in SonarQube UI or in Bitbucket pipeline build checks. In SonarQube, under the project>issues>type the vulnerability count is 0 and maybe that is why it is greyed out.
Another thing that we have noticed under Code tab in the said javaScript project on SonarQube is that none of the .json(including package.json which has all the 3rd party dependencies listed), .yml or .sh files are present and I think maybe that is to blame for the vulnerability scan not working as we want it to. To try and resolve this we have double checked and made sure that we do not have any file exclusions under Analysis Scope in the Project Setting. And have also double checked that all the project files(*.json, *.yml, etc.) are present in the directory which we are mounting following this to the sonarsource/sonar-scanner-cli docker image for sonarQube integration.

To summarize, we want to set up Bitbucket CI/CD pipelines with SonarQube for our JavaScript project such that, when new vulnerabilities are detected in our code or the 3rd party dependencies, the Bitbucket pipeline step fails which ultimately fails build check on bitbucket and with proper merge checks in place on the Bitbucket repo. it does not allow merging the changes to main.

Any help and suggestion would be very appreciated. Thank you.

Hey there.

GitHub - dependency-check/dependency-check-sonar-plugin: Integrates Dependency-Check reports into SonarQube is a community-supported plugin, and you’re more likely to find some help raising an issue on their GitHub repo.

Hello,

Thank you for the quick response, I will raise a issue there as well but I don’t think they will be able to help with the missing files in SonarQube. Do have any suggestions to help with that?

I’m really not sure how this plugin works, or if it would typically raise issues on files not normally indexed by the SonarScanner.

SonarQube doesn’t analyze all YAML and JSON files by default (only ones that map to specific frameworks we do support analyzing), and you may have to install some community-supported plugins like GitHub - sbaudoin/sonar-yaml: SonarQube plugin to analyze YAML files