Report content is not deplyed within SonarQube

[ahmadalfy]

I am using SonarQube v10.6 and version 5.0 of the plugin. Dependency check runs from this docker image and it uses the latest version. It runs on gitlab-ci.

This is the command that runs the scanner in the CI

/usr/share/dependency-check/bin/dependency-check.sh
      --scan "./"
      --format ALL
      --project "$CI_PROJECT_NAME"
      --enableExperimental
      --failOnCVSS 0
      --suppression /suppressions/npm_fp_suppression.xml
      --suppression /suppressions/npm_na_suppressions.xml

Note the --enableExperimental flag because I am using composer as a package manager.

The scanner generates the reports successfully and I keep the artifacts; HTML and JSON. Those artifacts are then passed to SonarQube and it successfuly loads the plugin and import those files as per logs here:

DEBUG: Plugins loaded:
DEBUG:   * Dependency-Check 5.0.0 (dependencycheck)
...
...
...
DEBUG: Sensors : Dependency-Check -> Zero Coverage Sensor
INFO: Sensor Dependency-Check [dependencycheck]
INFO: Dependency-Check - Start
INFO: Using JSON-Reportparser
INFO: No project configuration file, e.g. pom.xml, *.gradle, *.gradle.kts, package-lock.json found, therefore it isn't possible to correctly link dependencies with files.
INFO: Linking 101 dependencies
...
...
...
DEBUG: Saving Metrics to project DependencyCheckMetric [inputcomponent=[key=project], totalDependencies=101, vulnerableDependencies=2, vulnerabilityCount=4, highIssuesCount=1, mediumIssuesCount=0, lowIssuesCount=1]
DEBUG: Save measures on [key=project]
INFO: Upload Dependency-Check HTML-Report
INFO: Dependency-Check - End
INFO: Sensor Dependency-Check [dependencycheck] (done) | time=3903ms

As you can see the scanner didn't check composer.lock but the reported metrics contain information about those vulnerabilities. Now let me show you how it looks when it's created on SonarQube:

The security hotspot: No information about the vulnerabilities. These are all different vulnerabilities from the code

The issues: Show no vulnerability

The metrics: Show this conclusion

But when you clicn anything you just see the files tree

The HTML works as expected

And it shows vulnerabilities reported by dependency check

Now what's wrong with what I am doing? Why the dependencies are not showing on SonarQube with details about the CVE and other details?

[abhishekbhilare123]

hi @ahmadalfy ,
even we are also facing same issue where it working for PHP but not for java and other languages.

but html works as expected. not bing displayed on the sonarqube UI.

[github-actions]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days.

[ahmadalfy]

This problem has not been fixed

[github-actions]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days.

[ahmadalfy]

Ding, this problem has not been fixed yet