"This request cannot be processed. Try again later." in Security Hotspots view after importing report when "sonar.dependencyCheck.securityHotspot" is enabled.

[alixwar]

Describe the bug
The Security Hotspots view "crashes" when the option "sonar.dependencyCheck.securityHotspot" is enabled after importing issues from an OWASP dependency check report. It works fine importing the issues if the option is disabled.

I first saw the issue here: #252 (comment) but we couldn't figure out where the problem was.
Since then the PR was merged and there was a new release (2.0.5) and I could reproduce the problem in production.
I created a support ticket at SonarSource for the problem and they say the following:

I did look at your screenshot as indeed it is a JS/TS error.

But if the problem does not happen when the dependency check plugin is not installed, this is a side effect of that 3rd party plugin and there is not much I can do for you about it.

Regards, Olivier

PS: Admittedly we could have the JS code more robust to plugins that do not implement all the latest features of SonarQube (like hotspots, precise issue location - I suspect this is more due to the latter), but this can't be considered a priority issue for us.

The screenshot from the debugger that I sent to SonarSource:

Versions (please complete the following information):

• Dependency check plugin 2.0.5
• SonarQube 8.3.1 Enterprise Edition

[Reamer]

Hi @alixwar,
as long as you can't provide a way to reproduce the problem, I can't help you. I'm sorry.

One last possibility:
If you disable the dependency-check hotspot feature and reimport your issues. Are all issue linked against a file?

[alixwar]

Hi @alixwar,
as long as you can't provide a way to reproduce the problem, I can't help you. I'm sorry.

I understand. But anyway, I think it's good that the issue is reported so that other people can provide input.

One last possibility:
If you disable the dependency-check hotspot feature and reimport your issues. Are all issue linked against a file?

I can't play around with our production environment unfortunately so I would need to set up a sandbox. I'm not sure if/when I have time to look into this. But if/when I will post my results here.

[alixwar]

Here is one more screenshot with the line of code failing:

[alixwar]

FYI: I created a public bug report here: https://community.sonarsource.com/t/security-hotspots-report-broken-after-importing-issues-from-owasp-dependency-check/28818

[alixwar]

With debug info

[Reamer]

Hi @alixwar,
Thank you for opening a bug report in the sonarqube community forum and for providing debug output. It seems that the TypeScript did not find any TextRange. This can happen when a security hotspot issue is linked to the project.

Do you have the following output in your sonar analysis?

No project configuration file, e.g. pom.xml, *.gradle, *.gradle.kts, package-lock.json found, therefore it isn't possible to correctly link dependencies with files.

[alixwar]

Hi @Reamer, yes I can confirm that I see this:

2020-07-30T08:58:19.162+0200 [INFO] [org.sonarqube.gradle.SonarQubeTask] Using XML-Reportparser
2020-07-30T08:58:19.512+0200 [INFO] [org.sonarqube.gradle.SonarQubeTask] No project configuration file, e.g. pom.xml, *.gradle, *.gradle.kts, package-lock.json found, therefore it isn't possible to correctly link dependencies with files.

I'm now looking into how to configure sonar.sources to include build.gradle without breaking anything...
According to https://docs.gradle.org/current/userguide/organizing_gradle_projects.html the build.gradle files should not be in "src/main". But sonar.sources is set to "src/main". I have requested help from SonarSource through our support account. Let's see what they say.

[Reamer]

HI @alixwar,
this line should solve your problem.

dependency-check-sonar-plugin/examples/single-module-gradle/build.gradle

Line 39 in 8641f0a

properties["sonar.sources"] += "build.gradle"

[alixwar]

HI @alixwar,
this line should solve your problem.

dependency-check-sonar-plugin/examples/single-module-gradle/build.gradle

Line 39 in 8641f0a

properties["sonar.sources"] += "build.gradle"

Thanks! I have a multi-module project but I will try this

[alixwar]

@Reamer This didn't work for a multi-module project but this configuration solved it for me:

subprojects {
    sonarqube {
        properties {
              property "sonar.sources", "src/main,build.gradle"
...

I can confirm that it works as expected for me now.