dependency-check-sonar-plugin icon indicating copy to clipboard operation
dependency-check-sonar-plugin copied to clipboard

Published 20 hours ago verified publisher icon dependency-check

Enable global securityHotspot setting for all projects

Open manuel-sommer opened this issue 8 months ago • 5 comments
trafficstars

Is your feature request related to a problem? Please describe. The sonar.dependencyCheck.securityHotspot=true has to be set per repo. It would be nice to forward the findings to the securityHotspot by globally as this enables the findings to be processed over API, e.g. for DefectDojo integration.

Describe the solution you'd like I would like to have a global setting within the plugin itself which enables the findings to be forwarded in all projects to the security Hotspot.

manuel-sommer avatar Mar 11 '25 06:03 manuel-sommer

Checkout https://github.com/dependency-check/dependency-check-sonar-plugin/pull/900 security Hotspot are deprecated and have not been properly removed. I will therefore close your request.

Reamer avatar Mar 25 '25 14:03 Reamer

Based on https://github.com/dependency-check/dependency-check-sonar-plugin/issues/952#issuecomment-2612480396 Security Hotspots are not deprecated anymore. Here the rule must be added again in the plugin. PullRequest is welcome. You can then activate the security hotspot rule globally in SonarQube.

Reamer avatar Mar 25 '25 14:03 Reamer

You can implement the use of the hotspot rule globally at the following location. Image

Reamer avatar Mar 25 '25 14:03 Reamer

Hi,

Cannot seem to make this work.

When disabled they are raised as issues. When enabled they are not raised at all.

Using 10.7 and 2025.2 LTA

Any workaround?

Will

rupreck avatar Apr 21 '25 05:04 rupreck

Based on #952 (comment) Security Hotspots are not deprecated anymore. Here the rule must be added again in the plugin. PullRequest is welcome. You can then activate the security hotspot rule globally in SonarQube.

Hi,

I'm not against trying to help, but this functionality was seemingly removed as part of bigger changes when migrating to sonar 2025.1 ... How exactly are we supposed to figure out what was previously there to create a PR with the necessary changes?

None of us know enough about this plugin to know:

  • how it worked before the upgrade
  • what got removed because of deprecation
  • what should be reverted without breaking the changes that were made for the 2025 upgrade.

I'm not sure it's very realistic to expect us to figure out all of that context of a project we're not familiar with to try to get the broken functionality running again. Some assistance on what the critical changes were at the very least would be helpful.

SvenT23 avatar May 06 '25 09:05 SvenT23

I have just reactivated the security hotspot feature in the master branch. https://github.com/dependency-check/dependency-check-sonar-plugin/pull/1059

Reamer avatar Jun 21 '25 11:06 Reamer

Hi @Reamer , when will you make a new release? I would like to test this out :-)

manuel-sommer avatar Jul 29 '25 11:07 manuel-sommer