dependency-check-sonar-plugin icon indicating copy to clipboard operation
dependency-check-sonar-plugin copied to clipboard
verified publisher icon dependency-check

Problem with JSON-Report-Mapping when Sonatype OSS Index Analyzer is activated

Open Lars5678 opened this issue 2 months ago • 1 comments

Describe the bug The Dependency Check Sonar Plugin seems to be incompatible with the latest Dependency Check Maven plugin when the Sonatype OSS Index Analyzer is activated.

To Reproduce

  1. Create a dependency with CVEs in Maven.
  2. Run a Dependency Check Maven analysis with version 12.1.6 and activate the OSS Index Analyzer including a valid token.
  3. Use the latest Sonar Community Build with Dependency Check Sonar Plugin 5.0.0 installed.
  4. As a result, an exception should be thrown by the Dependency Check Sonar plugin and no security issues should be created, even though CVEs are present, as can be seen in the HTML report.

Current behavior When retrieving the Sonatype OSS index data, Cvss4 structures are created that cannot be parsed by the Sonar plugin V5. An exception occurs, which means that no CVE issues are created in Sonar.

209604 [INFO] Dependency-Check - Start 209604 [INFO] Using JSON-Reportparser 209804 [WARNING] JSON-Analysis aborted 209805 [DEBUG] Problem with JSON-Report-Mapping org.sonar.dependencycheck.parser.ReportParserException: Problem with JSON-Report-Mapping at org.sonar.dependencycheck.parser.JsonReportParserHelper.parse(JsonReportParserHelper.java:44) at org.sonar.dependencycheck.DependencyCheckSensor.parseAnalysis(DependencyCheckSensor.java:67) at org.sonar.dependencycheck.DependencyCheckSensor.execute(DependencyCheckSensor.java:129) at org.sonar.scanner.sensor.AbstractSensorWrapper.analyse(AbstractSensorWrapper.java:69) at org.sonar.scanner.sensor.ProjectSensorsExecutor.execute(ProjectSensorsExecutor.java:54) at org.sonar.scanner.scan.SpringProjectScanContainer.doAfterStart(SpringProjectScanContainer.java:181) at org.sonar.core.platform.SpringComponentContainer.startComponents(SpringComponentContainer.java:227) at org.sonar.core.platform.SpringComponentContainer.execute(SpringComponentContainer.java:206) at org.sonar.scanner.bootstrap.SpringScannerContainer.doAfterStart(SpringScannerContainer.java:339) at org.sonar.core.platform.SpringComponentContainer.startComponents(SpringComponentContainer.java:227) at org.sonar.core.platform.SpringComponentContainer.execute(SpringComponentContainer.java:206) at org.sonar.scanner.bootstrap.SpringGlobalContainer.doAfterStart(SpringGlobalContainer.java:142) at org.sonar.core.platform.SpringComponentContainer.startComponents(SpringComponentContainer.java:227) at org.sonar.core.platform.SpringComponentContainer.execute(SpringComponentContainer.java:206) at org.sonar.scanner.bootstrap.ScannerMain.runScannerEngine(ScannerMain.java:150) at org.sonar.scanner.bootstrap.ScannerMain.run(ScannerMain.java:67) at org.sonar.scanner.bootstrap.ScannerMain.main(ScannerMain.java:53) Caused by: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "cvssv4" (class org.sonar.dependencycheck.parser.element.Vulnerability), not marked as ignorable (7 known properties: "cvssv3", "cwes", "name", "description", "severity", "cvssv2", "source"]) at [Source: REDACTED (StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION` disabled); line: 1, column: 426756] (through reference chain: org.sonar.dependencycheck.parser.element.Analysis["dependencies"]->java.util.ArrayList[75]->org.sonar.dependencycheck.parser.element.Dependency["vulnerabilities"]->java.util.ArrayList[0]->org.sonar.dependencycheck.parser.element.Vulnerability["cvssv4"]) at com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException.from(UnrecognizedPropertyException.java:61) at com.fasterxml.jackson.databind.DeserializationContext.handleUnknownProperty(DeserializationContext.java:1153) at com.fasterxml.jackson.databind.deser.std.StdDeserializer.handleUnknownProperty(StdDeserializer.java:2224) at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.handleUnknownProperty(BeanDeserializerBase.java:1793) at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.handleUnknownProperties(BeanDeserializerBase.java:1743) at com.fasterxml.jackson.databind.deser.BeanDeserializer._deserializeUsingPropertyBased(BeanDeserializer.java:546) at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.deserializeFromObjectUsingNonDefault(BeanDeserializerBase.java:1493) at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserializeFromObject(BeanDeserializer.java:348) at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:185) at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer._deserializeFromArray(CollectionDeserializer.java:359) at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.deserialize(CollectionDeserializer.java:244) at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.deserialize(CollectionDeserializer.java:28) at com.fasterxml.jackson.databind.deser.SettableBeanProperty.deserialize(SettableBeanProperty.java:545) at com.fasterxml.jackson.databind.deser.BeanDeserializer._deserializeWithErrorWrapping(BeanDeserializer.java:570) at com.fasterxml.jackson.databind.deser.BeanDeserializer._deserializeUsingPropertyBased(BeanDeserializer.java:440) at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.deserializeFromObjectUsingNonDefault(BeanDeserializerBase.java:1493) at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserializeFromObject(BeanDeserializer.java:348) at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:185) at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer._deserializeFromArray(CollectionDeserializer.java:359) at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.deserialize(CollectionDeserializer.java:244) at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.deserialize(CollectionDeserializer.java:28) at com.fasterxml.jackson.databind.deser.SettableBeanProperty.deserialize(SettableBeanProperty.java:545) at com.fasterxml.jackson.databind.deser.BeanDeserializer._deserializeWithErrorWrapping(BeanDeserializer.java:570) at com.fasterxml.jackson.databind.deser.BeanDeserializer._deserializeUsingPropertyBased(BeanDeserializer.java:440) at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.deserializeFromObjectUsingNonDefault(BeanDeserializerBase.java:1493) at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserializeFromObject(BeanDeserializer.java:348) at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:185) at com.fasterxml.jackson.databind.deser.DefaultDeserializationContext.readRootValue(DefaultDeserializationContext.java:342) at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:4899) at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3883) at org.sonar.dependencycheck.parser.JsonReportParserHelper.parse(JsonReportParserHelper.java:40) ... 16 common frames omitted

209819 [INFO] Upload Dependency-Check HTML-Report 209840 [INFO] Dependency-Check - End `

Expected behavior The expectation is that the latest version of the Dependency Check Maven plugin is compatible with the version of the Sonar plugin. No more recent Sonar plugin is available for the current Sonar Community Build. Therefore, the only option is to disable the Sonatype OSS index.

Versions (please complete the following information):

  • dependency-check maven 12.1.6
  • sonarqube v25.7.0.110598
  • dependency-check-sonar-plugin 5.0.0

Lars5678 avatar Oct 08 '25 09:10 Lars5678

Try the 6.0.0 release. It worked when 5.0.0 didn't. I think the fix is this PR https://github.com/dependency-check/dependency-check-sonar-plugin/pull/1055

sellersj avatar Oct 30 '25 18:10 sellersj