Vulnerabilities exclusion

SonarQube Server / Community Build
1

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
    We are using: Community Edition Version 9.9.4 (build 87374)

  • how is SonarQube deployed:
    Docker

  • Problem
    Sonarqube shows jar vulnerabilities, even though they are excluded with maven

  • what are you trying to achieve
    I want to exclude some dependencies with maven, so that sonarqube doesnt complain about
    vulnerabilities in those jar files.

  • what have you tried so far to achieve this
    I tried to exclude some jar files from my maven project, but SonarQube complains about some
    vulnerabilities, even though i excluded them with maven (see screenshot)

Any help would be greatly appreciated.

sonar_vulerabilities_exclusion1
sonar_vulerabilities_exclusion11098×835 55.7 KB

2

Hi,

That issue appears to be raised by a 3rd-party analyzer, likely OWASP Dependency-Check. Thus, it’s a bit out of scope for us.

 
Ann

3

Hi,

Thx for the answer. Yes i found out that the problem is comming from OWASP.

See the following link:

[FP]: txw2-4.0.5.jar detected as eclipse glassfish · Issue #7020 · jeremylong/DependencyCheck · GitHub.

Problem is resolved

1 Like