Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vulnerabilities not visible in Sonar on pull requests #485

Open
michalkochanowicz opened this issue Aug 20, 2021 · 11 comments
Open

Vulnerabilities not visible in Sonar on pull requests #485

michalkochanowicz opened this issue Aug 20, 2021 · 11 comments
Labels
bug lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness.

Comments

@michalkochanowicz
Copy link

Describe the bug
When Sonar analyzes pull request, reported vulnerabilities are not visible in Sonar. They are visible on release branches. Applies to Java and TypeScript code.

For Java I tried using Maven plugin and invoking directly, both from Jenkins.

Shell command:

mvn install org.owasp:dependency-check-maven:check sonar:sonar -Dformats=json,html -Dhttp.proxyHost=XXX -Dhttp.proxyPort=8080 -Dhttps.proxyHost=XXX -Dhttps.proxyPort=8080 -Dhttp.nonProxyHosts=XXX -P CCC -P !DDD,!EEE -Dsonar.pullrequest.key=YYY -Dsonar.pullrequest.branch=feature/ZZZ -Dsonar.pullrequest.base=develop -Dsonar.pullrequest.bitbucketserver.project=AAA -Dsonar.pullrequest.bitbucketserver.repository=BBB javadoc:javadoc -DskipITs=false

Maven plugin setup:

<plugin>
    <groupId>org.owasp</groupId>
    <artifactId>dependency-check-maven</artifactId>
    <version>${dependency-check-maven.version}</version>
    <configuration>
        <autoUpdate>true</autoUpdate>
        <formats>
            <format>HTML</format>
            <format>JSON</format>
        </formats>
    </configuration>
    <executions>
        <execution>
            <goals>
                <goal>check</goal>
            </goals>
        </execution>
    </executions>
</plugin>

For TypeScript (Angular) I invoke directly.

For both cases vulnerabilities are written to the standard output, JSON and HTML reports.

HTML report is visible in Sonar.

Processing by Sonnar seems successful:

[INFO] Sensor Dependency-Check [dependencycheck]
[INFO] Process Dependency-Check report
[INFO] Using JSON-Reportparser
[INFO] Linking 96 dependencies
[WARNING] vulnerability CVE-2015-6644 is unscored. Using MEDIUM
[WARNING] vulnerability CVE-2015-6644 is unscored. Using MEDIUM
[INFO] Upload Dependency-Check HTML-Report
[INFO] Process Dependency-Check report (done) | time=412ms
[INFO] Sensor Dependency-Check [dependencycheck] (done) | time=413ms

To Reproduce
It would be helpful when you support us with example projects.
Steps to reproduce the behavior:

Analyze pull request with Sonar.

Current behavior
Vulnerabilities not visible in Sonar (except for embedded HTML report). Neither in overview nor in code sections.

Expected behavior
Vulnerabilities visible in Sonar in overview and in code sections.

Versions (please complete the following information):

  • dependency-check: 6.2.2
  • sonarqube: Developer EditionVersion 8.9 (build 43852)
  • dependency-check-sonar-plugin: 2.0.8
@Reamer
Copy link
Member

Reamer commented Aug 28, 2021

Pull request analysis is only available in a commercial version. Since I do not have access to such a version, I cannot reproduce this bug and therefore I am closing the issue. If you think you can correct the bug yourself, I will be happy to evaluate your incoming solution.

@Reamer Reamer closed this as completed Aug 28, 2021
@andreasgebauer
Copy link

andreasgebauer commented Dec 15, 2021

I am facing the same problem. You could also test this with https://github.com/mc1arke/sonarqube-community-branch-plugin. I am using this plugin too in order too avoid having to use commercial edition of SonarQube

@daudo
Copy link

daudo commented Mar 17, 2022

adding my voice, too. We're using both the commercial version and the community edition with the community branch plugin.

I understand, that you @Reamer don't want to dig into the issue, so maybe I can figure it out myself. Any pointer where to start looking?

And, additionally, if I am not completely wrong, this used to work some time ago for branches as well, but I am not 100% sure about this.

@Reamer
Copy link
Member

Reamer commented Mar 17, 2022

Any pointer where to start looking?

That's the code part that uploads the HTML report.
The code part that adds issues to your code.
The code part that downloads the HTML report from SonarQube to display it in the frontend.

Please note that a pull request should only indicate a new vulnerability if another vulnerability has been discovered which is so not in the main branch.

@emilekberg
Copy link

@daudo any luck? We are currently facing the same issue. We tried introducing a vulnerability in a pull request and does not raise warning about the introduced vulnerability, however we can see it in the json and html report.

I did also noticed the scanner does not identify .csproj changes in the changes, only the changes to the .cs files, I wonder if this can relate to this issue? Since the PR might not figure out that the .csproj has changed with a new vulnerability/dependency.

Versions:

  • SonarQube: Developer Edition Version 8.9.6 (build 50800)
  • Dependency Check: 7.1.0
  • Dependency Check SonarQube Plugin: 2.0.7

@dszulist
Copy link

dszulist commented Dec 9, 2022

@daudo is there any progress? we are using developer edition and have the same issue

@tremblaysimon
Copy link

@Reamer I understand that you don't have a SonarQube developer/enterprise edition to be able to add and test that feature. But I think you should reconsider to open that issue again since I think it's a valid feature request and only to show to people who want to contribute they can.

@Reamer Reamer reopened this Feb 16, 2023
@Reamer Reamer added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Feb 16, 2023
@github-actions
Copy link

github-actions bot commented Mar 3, 2023

This issue was closed because it has been stalled for 14 days with no activity.

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Mar 3, 2023
@Reamer Reamer added lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Mar 3, 2023
@Reamer Reamer reopened this Mar 3, 2023
@Flash619
Copy link

Flash619 commented Mar 24, 2023

I have experienced this same issue recently on some existing code. My findings were...

  • The dependency-check-sonar plugin does identify CVEs and attempt to create issues with accurate data.
  • SonarQube would not surface the issues reported by the dependency-check-sonar plugin.

I started researching deeper into why SonarQube was ignoring these issues, and it seems related to a support response.

As stated, SonarQube will only raise issues on changed lines of code, even if they have been reported by a plugin. The fix for me was to change the offending lines of code so that SonarQube would see them as modified. After the lines had been seen by SonarQube as modified within the PR, SonarQube allowed issues located within those lines (the CVE) to be raised.

Hope this helps someone!

@jenspopp
Copy link
Contributor

jenspopp commented Jul 25, 2023

Hi, I came across the same issue. Even if I introduce a vulnerability by changing values in maven dependency management section it will only be shown in the branch build (if my workflow allows both in parallel, PR and branch build). Additionally a dependency issue came up during the lifetime of the PR (in this case guava).
This is an issue, I can introduce a dependency that becomes "critical" during development on the PR... the PR will be mergeable...

@mjbs82
Copy link

mjbs82 commented Oct 6, 2023

Hi @Flash619 I'm interested in knowing more details about how you overcome this limitation. Could you please provide more details about changes you did in order to have vulnerabilitites raised in MR analysis? Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness.
Projects
None yet
Development

No branches or pull requests

10 participants