Hi,
In our CI pipeline of an API project in GOLANG we first compile, then we pass the Dependency-check cli scan, which generates reports with the vulnerabilities found, and then we pass the SonarQube scan passing it the reports generated by Dependency-check in .json and .html format.
This works well in most cases, but when the report contains about 20 vulnerabilities a warning pops up in SonarQube and if we go to the HTML report it shows it well, but the issues do not appear in the Security category.
The warning in the logs is the following:
2025.06.09 13:54:49 WARN ce[04262ca6-1942-4d92-8d79-c1fb72b4bf4f][o.s.c.t.p.s.PersistMeasuresStep] A plugin is storing excessively large data in the following measure(s): ‘report’. This is likely to cause significant SonarQube performance degradation and UI slowness. It is recommended to contact your administrator to disable the plugin or corresponding feature and reach out to the plugin maintainer for further assistance.
We have SonarQube dockerised to version 25.6.0.109173-community and are using the following scanners:
sonarsource/sonar-scanner-cli:11.3
owasp/dependency-check:12.1.1
This problem makes us unable to trace vulnerabilities as issues. If anyone can help us we would appreciate it.
Thanks in advance,
Best regards!