Pnpm vulnerabilities are not shown in sonarqube

[Manideepakakula]

18:47:34.919 INFO: No project configuration file, e.g. pom.xml, *.gradle, *.gradle.kts, package-lock.json found, therefore it isn't possible to correctly link dependencies with files.

pnpm-lock.yaml is not recognized as configuration file, so the vulnerabilites found via the dependecy-check report are not shown in sonarqube. how can I add these vulnerabilities to sonarqube.

here is my sonar-scanner logs for dependency-check

[pedrocarrico]

I'm having this same issue, I'm also not seeing package.json in my code in Sonarqube so I'm uncertain if it might also be the cause that it cannot link the vulnerabilities to dependencies.

I do see the html report in Sonarqube and that looks fine, I can see "OWASP-Dependency-Check" in the "Measures" tab of the project with numbers of vulnerabilities there I just can't see it linked to anything or in the Project's Security Hotspots.

[Reamer]

I'm having this same issue, I'm also not seeing package.json in my code in Sonarqube so I'm uncertain if it might also be the cause that it cannot link the vulnerabilities to dependencies.

For npm you need the package-lock.json in your SCM as recommended by npm. https://docs.npmjs.com/cli/v10/configuring-npm/package-lock-json

This file is intended to be committed into source repositories

Please adjust sonar.sources property like in the example project. https://github.com/dependency-check/dependency-check-sonar-plugin/blob/master/examples/single-module-nodejs/sonar-project.properties#L5 After that adjustment your vulnerabilities should be link to the package-lock.json.

[Reamer]

pnpm-lock.yaml are currently not supported.

[github-actions[bot]]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days.

[github-actions[bot]]

This issue was closed because it has been stalled for 14 days with no activity.