Issues and hotspots doesn't include dependency-check vulnerabilities

[arturkasperek]

trafficstars

Describe the bug I'm using the following settings when running the scanner:

        -Dsonar.dependencyCheck.securityHotspot=true \
        -Dsonar.dependencyCheck.jsonReportPath=owasp-reports/dependency-check-report.json \
        -Dsonar.dependencyCheck.htmlReportPath=owasp-reports/dependency-check-report.html \
        -Dsonar.dependencyCheck.xmlReportPath=owasp-reports/dependency-check-report.xml \

I don't see any errors on SQ server or gitlabCI job dependency check logs. After all, I can see an extra item to access the report:

It has vulnerabilities and right now don't sure why they are not included either on Issues or Security hotspots In previous versions I saw that dependency check sonar plugin was also reporting on Issues - don't sure why it doesn't work

Versions (please complete the following information):

• dependency-check: v9.2.0
• sonarqube: 10.4.1.88267
• dependency-check-sonar-plugin: 5.0.0

[Reamer]

xmlReportPath is deprecated and removed. Security Hotspot Feature is deprecated as well.

[arturkasperek]

@Reamer hm - can I somehow integrate deps scan audit with sq native issues?

[Erry91]

I am also interested in how to make vulnerabilities detections reported in the dependency-check scan appear in either "Issues" or "Security Hotspots"

[Reamer]

@Reamer hm - can I somehow integrate deps scan audit with sq native issues?

Try deactivating the security hotspot feature.

[mutzbraten]

xmlReportPath is deprecated and removed. Security Hotspot Feature is deprecated as well.

Where do I find documentation about the deprecation of security hotspot feature? Is there any alternative suggested? Does this mean, the bug will not be fixed?

[Reamer]

Where do I find documentation about the deprecation of security hotspot feature?

I think here: https://docs.sonarsource.com/sonarqube/latest/user-guide/security-hotspots/

Issue types (bug, vulnerability, and code smell) are deprecated

Generally speaking, I can no longer mark a rule as a security hotspot in the source code. I think therefore I can not fix this bug.

[Reamer]

Checkout https://github.com/SonarSource/sonar-plugin-api/commit/6785feacbb08c28f0dd1d99c208f6a26956f1517 for more

[arturkasperek]

@Reamer is there a way to integrate deps audit results on some native sonarqube view? Right now this plugin only enables to display HTML with results. Im using sq 10.4 (in previous version it worked fine and integrated)

[Reamer]

This could be possible. However, I am not a frontend developer and therefore cannot implement this requirement.

[arturkasperek]

@Reamer, I don't have frontend tweaks on my mind. Sonarqube has a native solution to register custom issues. I think with the old SQ version, issues from dependency check step were correctly registered - right now I don't see anymore any issues

[rupreck]

xmlReportPath is deprecated and removed. Security Hotspot Feature is deprecated as well.

This is a very important plugin but the change to no longer support dependency CVE's as Security Hotspots is a real disappointment. As Security Hotspots they were well presented and allowed a history of changes with notes providing traceability. As Security Issues, changes are less visible and they are not presented well. Is there any way / plan to have this capability restored? Security Hotspots are a major focus area in SonarQube.

[github-actions[bot]]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days.

[david-vdd]

The html report is working fine, however, I'm also unable to get any indication of vulnerabilities(either issues or security hotspots) in Sonar using the latest version of sonarqube, the plugin and the dependency check.

[SvenT23]

Where do I find documentation about the deprecation of security hotspot feature?

I think here: https://docs.sonarsource.com/sonarqube/latest/user-guide/security-hotspots/

Issue types (bug, vulnerability, and code smell) are deprecated

Generally speaking, I can no longer mark a rule as a security hotspot in the source code. I think therefore I can not fix this bug.

In the current documentation of your link, there is no mention of any deprecation of security hotspots. Mind you, it's the documentation for the LTA, so I'm pretty sure it's not going to be deprecated for a long time.

Am I missing/misunderstanding something? It seems that SonarQube still supports security hotspots just fine, so I don't understand what this response is saying. Is it simply no longer allowed to create custom security hotspots?

[SvenT23]

After looking into this further, I think SonarQube has removed the previous deprecation in the plugin API as well: https://github.com/SonarSource/sonar-plugin-api/releases/tag/11.1.0.2693

So the deprecation itself seems to have been a mistake

[rupreck]

Yes this is still possible to raise these as security hotspots, if the support can be added again?

Here is a thread that queried that:

https://community.sonarsource.com/t/import-sarif-results-as-security-hotspots/83223/12

Will

[github-actions[bot]]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days.

[github-actions[bot]]

This issue was closed because it has been stalled for 14 days with no activity.

[SvenT23]

Still very relevant as a feature we want fixed. I'm willing to help create a PR but I have no idea where to start to fix what got removed.