securego
Sonar format reports deprecated fields
Summary
When Sonarqube ingests the gosec output file, generated sonarqube format, a warning is displayed indicating that the file has deprecated fields which will not be supported in the future.
Steps to reproduce the behavior
Run gosec on the project with these parameters:
gosec -fmt=sonarqube -out=.testreports/gosec-report.json ./... ;
Then run sonar scanner CLI with the following parameter in the config file:
sonar.externalIssuesReportPaths=.testreports/gosec-report.json
gosec version
Using the docker container, which reports the following:
Version: dev Git tag: Build date: 2024-05-14
Go version (output of 'go version')
v1.23.0
Operating system / Environment
Linux
Expected behavior
Analysis of gosec report to complete without errors or warnings.
Actual behavior
The following warning is displayed:
WARN: External issues were imported with a deprecated format which will be removed soon. Please switch to the newest format to fully benefit from Clean Code: https://docs.sonarsource.com/sonarcloud/enriching/generic-issue-data/
Shall this be an evolution of the actual sonarqube output format they are very close but some fields are moved or shall there be a sonarqube-external-issues format ?
I sought clarification on the changes in the file spec from Sonar and got some additional info. Here’s an example of an issue in the deprecated format of the report:
{
"issues": [
{
"engineId": "gosec",
"ruleId": "G101",
"primaryLocation": {
"message": "Potential hardcoded credentials",
"filePath": "/home/stevanvanderwerf/code/learn-go-with-tests/arrays/v1/sum.go",
"textRange": {
"startLine": 2,
"endLine": 2
}
},
"type": "VULNERABILITY",
"severity": "BLOCKER",
"effortMinutes": 5
}
]
}
The current format would look like this:
{
"rules": [
{
"id": "G101",
"name": "G101",
"engineId": "gosec",
"cleanCodeAttribute": "TRUSTWORTHY",
"impacts": [
{
"softwareQuality": "SECURITY",
"severity": "HIGH"
}
]
}
],
"issues": [
{
"ruleId": "G101",
"effortMinutes": 5,
"primaryLocation": {
"message": "Potential hardcoded credentials",
"filePath": "/home/stevanvanderwerf/code/learn-go-with-tests/arrays/v1/sum.go",
"textRange": {
"startLine": 2,
"endLine": 2
}
}
}
]
}
In the new format you can see that I’ve selected SECURITY as the SoftwareQuality impact. For reference: https://docs.sonarsource.com/sonarcloud/enriching/generic-issue-data/
Additionally, to see the differences between the deprecated format and current format of the Generic Issue Reports, you can also reference them in SonarQube: https://docs.sonarsource.com/sonarqube/9.9/analyzing-source-code/importing-external-issues/generic-issue-import-format/
https://docs.sonarsource.com/sonarqube/latest/analyzing-source-code/importing-external-issues/generic-issue-import-format/
@CameronGo Interesting you got an error message from the cli warning you. I see if you upgrade to the latest LTS it will force your warning as MEDIUM which we may not want. I was the one that originally wrote this report, and now looking to upgrade sonarqube past 9.9 LTS. Perhaps we should propose a -fmt=sonarqubeV2?
