Hi,
My case is of the CVE issues uploaded as on Sonarqube using sarifReports property of sonar scanner. The CVE found in Xray scan are uploaded as sarif report in Sonar for developers to work on. Now the problem we are facing is that there could be a CVE reported by Xray scan that is found in multiple applications. So if we try to mark the CVE as false-positive/accept it works for that application and some other applications. but not all the applications would respects that status change and would need explicit status change of that CVE in that particular application project only.
Also the same CVE having exact same description is reported multiple time of course due to its occurrence in different applications but when I click on the Issues tab globally in Sonar UI, there too it appears multiple times pointing to different projects it is detected and bulk update the issues also sometimes get it back.
Is there a way where in we can propagate the status changes from one branch to another. This question is very specific to the behaviour of the uploaded sarif CVEs from Xray to Sonar.
Please note that we are not updating any CVE status/metadata changes in Xray, all is being handled in Sonarqube only
Details of System:
- Sonarqube - Developer Edition v2025.1.3 (110580) - MQR Mode
- Sonar scanner - sonar-scanner-6.0.0.4432
- CI tool - Concourse
Appreciate you help.
Regards,
Monali