dependency-check-sonar-plugin icon indicating copy to clipboard operation
dependency-check-sonar-plugin copied to clipboard

Published 20 hours ago verified publisher icon dependency-check

Support Yarn

Open quinnturner opened this issue 4 years ago • 9 comments
trafficstars

With the release of Dependency-Check v6.1.0 (and subsequent fixes in v6.1.1), Yarn auditing is supported natively.

In this plugin, the logs that I receive during my CI pipeline suggest that Yarn is not directly supported.

INFO: Sensor Dependency-Check [dependencycheck]
INFO: Process Dependency-Check report
INFO: Using JSON-Reportparser
INFO: No project configuration file, e.g. pom.xml, *.gradle, *.gradle.kts, package-lock.json found, therefore it isn't possible to correctly link dependencies with files.

Where the project's sonar-project.properties contains the value:

sonar.sources=src,yarn.lock

Describe the solution you'd like

This plugin should support Yarn now that Dependency-Check supports auditing with yarn audit --verbose with the file yarn.lock.

quinnturner avatar Feb 20 '21 16:02 quinnturner

Hi @quinnturner, could you please add a small yarn sample project. So that we are able to generate a dependency check report with yarn dependencies.

Reamer avatar Feb 22 '21 09:02 Reamer

one lazy sidestep is to use https://github.com/imsnif/synp to work with yarn.lock file

bhoudu avatar May 25 '21 13:05 bhoudu

Attached is a simple project (hubot, generated using https://github.com/HelloRusk/generator-hubot-yarn) that has a yarn.lock file. The aforementioned project also has a yarn.lock file available for review: https://github.com/HelloRusk/generator-hubot-yarn/blob/master/yarn.lock)

Archive.zip

sunmorgus avatar Aug 17 '21 20:08 sunmorgus

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days.

github-actions[bot] avatar Jan 19 '22 10:01 github-actions[bot]

Is there any update on this ? Or any known workaround ?

LvffY avatar Oct 23 '22 10:10 LvffY

hello, any update regarding this?

DPirate avatar Aug 25 '23 10:08 DPirate

Encountered the same issue. Up

cpoftea avatar Oct 12 '23 00:10 cpoftea

Same with php's composer.lock (experimental). This plugin should add a dummy language for thoses files in order to be reported in sonar. Related to #677

obriat avatar May 02 '24 08:05 obriat

~~Sonarqube support suggests to "add **/*.lock &etc to the Administration → Languages → Secrets → List of file path patterns"~~ ~~https://community.sonarsource.com/t/depency-check-and-files-indexed-with-no-language/114604~~ ~~But it should be cleaner that this plugin provide a specific ".lock" language so lock files will be available into sonar reports~~ [Edit] Incorrect solution this settings is about excluding binary files :(

IMHO this plugin should provide a way to force sonar to follow all untracked files returns by depency-check analysis, a failsafe dummy language ?

obriat avatar May 03 '24 15:05 obriat