dependency-check-sonar-plugin icon indicating copy to clipboard operation
dependency-check-sonar-plugin copied to clipboard

Published 20 hours ago verified publisher icon dependency-check

Sonar dependency check multi project setup

Open pellepelster opened this issue 1 year ago • 2 comments
trafficstars

Describe the bug

I am not sure if this is a bug, or intentional design, but I am struggling to grasp how the plugin is supposed to work in a multi-project setup, where the root (parent) Gradle project hosts a number of submodules. Based on examples/single-module-gradle I was able to upload and use a report of a simple single module project, but with multiple modules this approach fails.

To Reproduce

Assuming a multimodule setup, where the dependency check is applied to all subprojects, after running the dependency check I get this (expected) result:

project_root/
│
├─ module1/
│      ├─ build/reports/
│      │     └─ dependency-check-report.json
│      │     └─ dependency-check-report.html
│      └─ build.gradle (1)
├─ module2/
│      ├─ build/reports/
│      │     └─ dependency-check-report.json
│      │     └─ dependency-check-report.html
│      └─ build.gradle (2)
├─ [...]
└─ build.gradle (3)

configuring module1 (1) or module2 (2) with

sonarqube {
    properties {
        property 'sonar.dependencyCheck.jsonReportPath', 'build/reports/dependency-check-report.json'
        property 'sonar.dependencyCheck.htmlReportPath', 'build/reports/dependency-check-report.html'
    }
}

does not seem to have any effect, in Sonar I get No HTML-Report found. Please check property sonar.dependencyCheck.htmlReportPath and also no security issues for vulnerable dependencies. I tried multiple ways of providing the sonar.dependencyCheck.*ReportPath including absolute path, but it never worked. My question is should this work at all, respectively what is the intended way to use this plugin in multimodule setups?

Versions (please complete the following information):

  • dependency-check: 8.2.1
  • sonarqube: 10.5
  • dependency-check-sonar-plugin: 5.0.0.4638

pellepelster avatar Jun 04 '24 05:06 pellepelster

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days.

github-actions[bot] avatar Aug 04 '24 02:08 github-actions[bot]

Sorry for the late response. Please use the report the goal dependency-check:aggregate to create a report in the parent module. Take a look at the Maven example project. https://github.com/dependency-check/dependency-check-sonar-plugin/tree/master/examples/multi-module-maven

Reamer avatar Aug 05 '24 14:08 Reamer

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days.

github-actions[bot] avatar Oct 05 '24 02:10 github-actions[bot]

worked for me, thanks for your support

pellepelster avatar Oct 05 '24 10:10 pellepelster