Details of Environment
- SonarQube 10.6
- Developer Edition license
- Deployment: Helm
- GitLab Ultimate
I am looking to make use of the SonarQube Developer edition feature “Reporting vulnerabilities in GitLab”
In the SonarQube docs linked above, it says “Initially, all issues marked Open on SonarQube are marked as Needs triage on GitLab”
Can you tell me if this is supposed to be for everything in the SonarQube Project->Issues tab? Or is it only for issues of type “Vulnerability”?
I am able to hit the API endpoint and get back a JSON object, but it is showing zero vulnerabilities in the JSON return. We have zero issues of type “Vulnerability” in the project I am looking at, but we do have other Issues (Code Smell, etc). Wondering if I should expect to see those other issue types come back in the SAST scan or not.
This is the JSON return that I get when calling the endpoint
Calling via command:
curl -u "${SONAR_TOKEN}:" "${SONAR_HOST_URL}/api/issues/gitlab_sast_export?projectKey=<projectKey>&branch=${CI_COMMIT_BRANCH}&pullRequest=${CI_MERGE_REQUEST_IID}" -o gl-sast-sonar-report.json
Returned JSON:
{
"version": "15.0.0",
"scan": {
"analyzer": {
"id": "SONARQUBE 10.6.0.92116",
"name": "SONARQUBE - Developer",
"vendor": {
"name": "Sonar"
},
"version": "10.6.0.92116"
},
"scanner": {
"id": "sonar_scan",
"name": "Sonar",
"vendor": {
"name": "Sonar"
},
"version": "10.7.0.2191"
},
"start_time": "2024-09-12T15:42:20",
"end_time": "2024-09-12T15:42:20",
"status": "success",
"messages": [],
"type": "sast"
},
"vulnerabilities": []
}
I think everything is fine with authentication and the other variables in the URL because I am getting a valid JSON return.
Any ideas why the vulnerabilities field is coming back empty?