-
Notifications
You must be signed in to change notification settings - Fork 136
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerabilities not visible in Sonar on pull requests #485
Comments
Pull request analysis is only available in a commercial version. Since I do not have access to such a version, I cannot reproduce this bug and therefore I am closing the issue. If you think you can correct the bug yourself, I will be happy to evaluate your incoming solution. |
I am facing the same problem. You could also test this with https://github.com/mc1arke/sonarqube-community-branch-plugin. I am using this plugin too in order too avoid having to use commercial edition of SonarQube |
adding my voice, too. We're using both the commercial version and the community edition with the community branch plugin. I understand, that you @Reamer don't want to dig into the issue, so maybe I can figure it out myself. Any pointer where to start looking? And, additionally, if I am not completely wrong, this used to work some time ago for branches as well, but I am not 100% sure about this. |
That's the code part that uploads the HTML report. Please note that a pull request should only indicate a new vulnerability if another vulnerability has been discovered which is so not in the main branch. |
@daudo any luck? We are currently facing the same issue. We tried introducing a vulnerability in a pull request and does not raise warning about the introduced vulnerability, however we can see it in the json and html report. I did also noticed the scanner does not identify .csproj changes in the changes, only the changes to the .cs files, I wonder if this can relate to this issue? Since the PR might not figure out that the .csproj has changed with a new vulnerability/dependency. Versions:
|
@daudo is there any progress? we are using developer edition and have the same issue |
@Reamer I understand that you don't have a SonarQube developer/enterprise edition to be able to add and test that feature. But I think you should reconsider to open that issue again since I think it's a valid feature request and only to show to people who want to contribute they can. |
This issue was closed because it has been stalled for 14 days with no activity. |
I have experienced this same issue recently on some existing code. My findings were...
I started researching deeper into why SonarQube was ignoring these issues, and it seems related to a support response. As stated, SonarQube will only raise issues on changed lines of code, even if they have been reported by a plugin. The fix for me was to change the offending lines of code so that SonarQube would see them as modified. After the lines had been seen by SonarQube as modified within the PR, SonarQube allowed issues located within those lines (the CVE) to be raised. Hope this helps someone! |
Hi, I came across the same issue. Even if I introduce a vulnerability by changing values in maven dependency management section it will only be shown in the branch build (if my workflow allows both in parallel, PR and branch build). Additionally a dependency issue came up during the lifetime of the PR (in this case guava). |
Hi @Flash619 I'm interested in knowing more details about how you overcome this limitation. Could you please provide more details about changes you did in order to have vulnerabilitites raised in MR analysis? Thanks |
Describe the bug
When Sonar analyzes pull request, reported vulnerabilities are not visible in Sonar. They are visible on release branches. Applies to Java and TypeScript code.
For Java I tried using Maven plugin and invoking directly, both from Jenkins.
Shell command:
Maven plugin setup:
For TypeScript (Angular) I invoke directly.
For both cases vulnerabilities are written to the standard output, JSON and HTML reports.
HTML report is visible in Sonar.
Processing by Sonnar seems successful:
To Reproduce
It would be helpful when you support us with example projects.
Steps to reproduce the behavior:
Analyze pull request with Sonar.
Current behavior
Vulnerabilities not visible in Sonar (except for embedded HTML report). Neither in overview nor in code sections.
Expected behavior
Vulnerabilities visible in Sonar in overview and in code sections.
Versions (please complete the following information):
The text was updated successfully, but these errors were encountered: