Sonarsource/sonarqube-scan:4.0.0 can't parse dependency-check-report.json

sonarsource/sonarqube-scan:4.0.0 running on self hosted BitBucket runners utilizing the dependency-check-report.json created by atlassian/bitbucket-dependency-scanner:0.8.0 is failing on a parsing error:

13:45:20.398 DEBUG Problem with JSON-Report-Mapping
org.sonar.dependencycheck.parser.ReportParserException: Problem with JSON-Report-Mapping
	at org.sonar.dependencycheck.parser.JsonReportParserHelper.parse(JsonReportParserHelper.java:44)
	at org.sonar.dependencycheck.DependencyCheckSensor.parseAnalysis(DependencyCheckSensor.java:67)
	at org.sonar.dependencycheck.DependencyCheckSensor.execute(DependencyCheckSensor.java:129)
	at org.sonar.scanner.sensor.AbstractSensorWrapper.analyse(AbstractSensorWrapper.java:69)
	at org.sonar.scanner.sensor.ProjectSensorsExecutor.execute(ProjectSensorsExecutor.java:54)
	at org.sonar.scanner.scan.SpringProjectScanContainer.doAfterStart(SpringProjectScanContainer.java:181)
	at org.sonar.core.platform.SpringComponentContainer.startComponents(SpringComponentContainer.java:227)
	at org.sonar.core.platform.SpringComponentContainer.execute(SpringComponentContainer.java:206)
	at org.sonar.scanner.bootstrap.SpringScannerContainer.doAfterStart(SpringScannerContainer.java:339)
	at org.sonar.core.platform.SpringComponentContainer.startComponents(SpringComponentContainer.java:227)
	at org.sonar.core.platform.SpringComponentContainer.execute(SpringComponentContainer.java:206)
	at org.sonar.scanner.bootstrap.SpringGlobalContainer.doAfterStart(SpringGlobalContainer.java:142)
	at org.sonar.core.platform.SpringComponentContainer.startComponents(SpringComponentContainer.java:227)
	at org.sonar.core.platform.SpringComponentContainer.execute(SpringComponentContainer.java:206)
	at org.sonar.scanner.bootstrap.ScannerMain.runScannerEngine(ScannerMain.java:150)
	at org.sonar.scanner.bootstrap.ScannerMain.run(ScannerMain.java:67)
	at org.sonar.scanner.bootstrap.ScannerMain.main(ScannerMain.java:53)
Caused by: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "cvssv4" (class org.sonar.dependencycheck.parser.element.Vulnerability), not marked as ignorable (7 known properties: "cvssv3", "cwes", "name", "description", "severity", "cvssv2", "source"])
 at [Source: REDACTED (`StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION` disabled); line: 180064, column: 6] (through reference chain: org.sonar.dependencycheck.parser.element.Analysis["dependencies"]->java.util.ArrayList[596]->org.sonar.dependencycheck.parser.element.Dependency["vulnerabilities"]->java.util.ArrayList[0]->org.sonar.dependencycheck.parser.element.Vulnerability["cvssv4"])
	at com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException.from(UnrecognizedPropertyException.java:61)
	at com.fasterxml.jackson.databind.DeserializationContext.handleUnknownProperty(DeserializationContext.java:1153)
	at com.fasterxml.jackson.databind.deser.std.StdDeserializer.handleUnknownProperty(StdDeserializer.java:2224)
	at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.handleUnknownProperty(BeanDeserializerBase.java:1793)
	at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.handleUnknownProperties(BeanDeserializerBase.java:1743)
	at com.fasterxml.jackson.databind.deser.BeanDeserializer._deserializeUsingPropertyBased(BeanDeserializer.java:546)
	at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.deserializeFromObjectUsingNonDefault(BeanDeserializerBase.java:1493)
	at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserializeFromObject(BeanDeserializer.java:348)
	at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:185)
	at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer._deserializeFromArray(CollectionDeserializer.java:359)
	at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.deserialize(CollectionDeserializer.java:244)
	at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.deserialize(CollectionDeserializer.java:28)
	at com.fasterxml.jackson.databind.deser.SettableBeanProperty.deserialize(SettableBeanProperty.java:545)
	at com.fasterxml.jackson.databind.deser.BeanDeserializer._deserializeWithErrorWrapping(BeanDeserializer.java:570)
	at com.fasterxml.jackson.databind.deser.BeanDeserializer._deserializeUsingPropertyBased(BeanDeserializer.java:440)
	at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.deserializeFromObjectUsingNonDefault(BeanDeserializerBase.java:1493)
	at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserializeFromObject(BeanDeserializer.java:348)
	at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:185)
	at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer._deserializeFromArray(CollectionDeserializer.java:359)
	at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.deserialize(CollectionDeserializer.java:244)
	at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.deserialize(CollectionDeserializer.java:28)
	at com.fasterxml.jackson.databind.deser.SettableBeanProperty.deserialize(SettableBeanProperty.java:545)
	at com.fasterxml.jackson.databind.deser.BeanDeserializer._deserializeWithErrorWrapping(BeanDeserializer.java:570)
	at com.fasterxml.jackson.databind.deser.BeanDeserializer._deserializeUsingPropertyBased(BeanDeserializer.java:440)
	at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.deserializeFromObjectUsingNonDefault(BeanDeserializerBase.java:1493)
	at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserializeFromObject(BeanDeserializer.java:348)
	at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:185)
	at com.fasterxml.jackson.databind.deser.DefaultDeserializationContext.readRootValue(DefaultDeserializationContext.java:342)
	at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:4899)
	at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3883)
	at org.sonar.dependencycheck.parser.JsonReportParserHelper.parse(JsonReportParserHelper.java:40)
	... 16 common frames omitted

Is there a way to skip this or get cvssv4 included in the next version of sonarqube-scan? I see that it is the current : dependency-check-sonar-plugin/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/parser/element/Vulnerability.java at master · dependency-check/dependency-check-sonar-plugin · GitHub

V/R
Vic

Hi Vic,

You’ll need to ask the plugin maintainers about this.

And I should note that SCA is now part of our Advanced Security offering.

 
HTH,
Ann