Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SecurityHotspots don't work with the dotnet multi csproj example #985

Closed
lizziebeans opened this issue Aug 29, 2024 · 4 comments
Closed

SecurityHotspots don't work with the dotnet multi csproj example #985

lizziebeans opened this issue Aug 29, 2024 · 4 comments
Labels
bug lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.

Comments

@lizziebeans
Copy link

Describe the bug
When using /d:sonar.dependencyCheck.securityHotspot=true we don't get any vunerabilities show up in the UI at all.

image

Running with /d:sonar.dependencyCheck.securityHotspot=false we do get issues, but they're not directly linked to any files

image

image

I did notice in the output it's saying there aren't any project configuration files

INFO: Sensor Dependency-Check [dependencycheck]
INFO: Dependency-Check - Start
INFO: Using JSON-Reportparser
INFO: No project configuration file, e.g. pom.xml, *.gradle, *.gradle.kts, package-lock.json found, therefore it isn't possible to correctly link dependencies with files.
INFO: Linking 9 dependencies
INFO: Upload Dependency-Check HTML-Report
INFO: Dependency-Check - End
INFO: Sensor Dependency-Check [dependencycheck] (done) | time=953ms

In dotnet these are I'm expecting these to be the csproj files, but I'm unsure how to get it to recognise these, or if this is even just a red herring.

I have noticed from the code tab that the csproj files aren't in the view:
image

I did also try manipulating d/sonar.sources, which made the csproj files appear in the code view, but still no file linking

dotnet sonarscanner begin /k:"dependency-check-example-csproj" /d:sonar.host.url="http://localhost:9420"  /d:sonar.token="<token>" /d:sonar.dependencyCheck.jsonReportPath="D:\BuildAgent\results\dependency-check-report.json" /d:sonar.dependencyCheck.htmlReportPath="D:\BuildAgent\results\dependency-check-report.html" /d:sonar.dependencyCheck.securityHotspot=false /d:sonar.projectBaseDir="D:\BuildAgent\s" /d:sonar.sources="D:\BuildAgent\s\ExampleApp1\ExampleApp1.csproj,D:\BuildAgent\s\ExampleApp2\ExampleApp2.csproj"

image

image

Obviously there's also no security hotspots having configured it to false

image

To Reproduce
Steps to reproduce the behavior:

  1. Create a directory called BuildServer containing two directories "s" and "results"
  2. Download the code in https://github.com/dependency-check/dependency-check-sonar-plugin/tree/master/examples/multi-project-csproj into the s directory
  3. From the BuildServer directory run
dependency-check.bat --project "dependency-check-example-csproj" --format JSON --format HTML --scan "./s" --nvdApiKey <apiKey> --out "./results"
  1. From the same directory run updating the paths (couldn't get relative paths to work)
dotnet sonarscanner begin /k:"dependency-check-example-csproj" /d:sonar.host.url="http://localhost:9420"  /d:sonar.token="<token>" /d:sonar.dependencyCheck.jsonReportPath="D:\BuildAgent\results\dependency-check-report.json" /d:sonar.dependencyCheck.htmlReportPath="D:\BuildAgent\results\dependency-check-report.html" /d:sonar.dependencyCheck.securityHotspot=true /d:sonar.projectBaseDir="D:\BuildAgent\s"

dotnet build .\s\

dotnet sonarscanner end /d:sonar.token="<token>"
  1. Browse the sonarqube portal.

Current behavior
Don't see any vulnerabilities in either issues or security hotspots

Expected behavior
See issues and security hotspots

Versions (please complete the following information):

  • dependency-check: Dependency-Check Core version 10.0.3
  • sonarqube: 10.6.0.92116
  • sonarqube dotnet scanner for MSBuild 8.0.1
  • dependency-check-sonar-plugin: 5.0.0
@github-actions GitHub Actions
Copy link

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Oct 29, 2024
@AkosHosszu
Copy link

Same issue here...

@github-actions github-actions bot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Nov 7, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Jan 6, 2025

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 6, 2025
@github-actions GitHub Actions
Copy link

This issue was closed because it has been stalled for 14 days with no activity.

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Jan 21, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lizziebeans @AkosHosszu