Support for Sonar 10.2 Software Quality Severities

[Blir]

Describe the bug
Beginning in Sonar 10.2, the severity values of Blocker, Critical, Major, Minor, and Info are deprecated. See here. I am opening this as a bug because this plugin claims to support Sonar 10.X per the README.md. However, the configuration of this plugin only references the deprecated severity levels.
Does this plugin actually support the new Sonar 10.2 severity levels?

Additionally, I am seeing that when upgrading my Sonar version, my old issues from this plugin that were Blocker severity have migrated to Medium severity. According to the page I linked above, they should have been migrated to High severity. Is this plugin interfering with this migration process?

To Reproduce

1. In a Sonar server instance running version 10.2 with the Dependency-Check plugin version 4.0.0 installed, navigate to Administration > Configuration > Dependency-Check, and scroll down to the Severities section. Notice the available severities are Blocker, Critical, Major, and Minor.
2. Refer to the Sonar 10.2 documentation here. Notice the deprecated severity levels.
3. The new severity levels are documented here under the Software qualities section at the bottom of the page.

Current behavior
This plugin only references deprecated severity levels.

Expected behavior
Since this plugin claims to support SonarQube 10.X, it should at a minimum document its behavior when used with SonarQube 10.2 which deprecates the severities referenced by this plugin's documentation. Ideally, the configuration should reflect the new severities.

Screenshots
I expect no screenshots are necessary, let me know if you'd like me to add any.

Versions (please complete the following information):

• sonarqube 10.2.1.78527
• dependency-check-sonar-plugin 4.0.0

Additional context
None.

[readonlyuser1]

Current behavior
This plugin only references deprecated severity levels.

Versions (please complete the following information):
sonarqube 10.3.0.82913
dependency-check-sonar-plugin 4.0.0

[thomassui]

I would like to underline this report. I have discovered the same issue. The mapping of Blocker, Critical and Major issue severity findings are mapped on the newly introduced software qualities impact severity "Medium" in Sonar 10. As requested by Blir it would help a lot to have a configuration in place which reflects the new software qualities impact severity (High, Medium, Low).

[readonlyuser1]

I took the latest changes from the Master Branch (sonar-dependency-check-plugin-5.0.0-SNAPSHOT.jar) and this is what I get after rebooting sonarqube

2024.01.01 00:11:11 WARN  web[][o.s.c.a.AnnotationConfigApplicationContext] Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.BeanCreationException: 
Error creating bean with name 'jdk.internal.loader.ClassLoaders$AppClassLoader@5ffd2b27-org.sonar.server.qualityprofile.RegisterQualityProfiles': 
Initialization of bean failed; nested exception is BadRequestException{errors=
[Rule was removed: OWASP:UsingComponentWithKnownVulnerabilitySecurityHotspot]}

2024.01.01 00:11:11 ERROR web[][o.s.s.p.Platform] Background initialization failed. 
Stopping SonarQube org.springframework.beans.factory.BeanCreationException: 
Error creating bean with name 'jdk.internal.loader.ClassLoaders$AppClassLoader@5ffd2b27-org.sonar.server.qualityprofile.RegisterQualityProfiles': Initialization of bean failed; 
nested exception is BadRequestException{errors=[Rule was removed: OWASP:UsingComponentWithKnownVulnerabilitySecurityHotspot]}
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:628)
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:542)
        at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:335)
        at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:234)
        at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:333)
        at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:208)
        at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:955)
        at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:920)
        at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:583)
        at org.sonar.core.platform.SpringComponentContainer.startComponents(SpringComponentContainer.java:200)
        at org.sonar.server.platform.platformlevel.PlatformLevel.start(PlatformLevel.java:80)
        at org.sonar.server.platform.platformlevel.PlatformLevelStartup.access$001(PlatformLevelStartup.java:58)
        at org.sonar.server.platform.platformlevel.PlatformLevelStartup$1.doPrivileged(PlatformLevelStartup.java:134)
        at org.sonar.server.user.DoPrivileged.execute(DoPrivileged.java:46)
        at org.sonar.server.platform.platformlevel.PlatformLevelStartup.start(PlatformLevelStartup.java:131)
        at org.sonar.server.platform.PlatformImpl.executeStartupTasks(PlatformImpl.java:201)
        at org.sonar.server.platform.PlatformImpl$AutoStarterRunnable.runIfNotAborted(PlatformImpl.java:362)
        at org.sonar.server.platform.PlatformImpl$1.doRun(PlatformImpl.java:116)
        at org.sonar.server.platform.PlatformImpl$AutoStarterRunnable.run(PlatformImpl.java:346)
        at java.base/java.lang.Thread.run(Thread.java:840)
Caused by: org.sonar.server.exceptions.BadRequestException: Rule was removed: OWASP:UsingComponentWithKnownVulnerabilitySecurityHotspot
        at org.sonar.server.exceptions.BadRequestException.create(BadRequestException.java:65)
        at org.sonar.server.exceptions.BadRequestException.create(BadRequestException.java:59)
        at org.sonar.server.exceptions.BadRequestException.checkRequest(BadRequestException.java:44)
        at org.sonar.server.qualityprofile.builtin.RuleActivator.doActivateRecursively(RuleActivator.java:99)
        at org.sonar.server.qualityprofile.builtin.RuleActivator.activate(RuleActivator.java:94)
        at org.sonar.server.qualityprofile.builtin.RuleActivator.lambda$activate$0(RuleActivator.java:87)
        at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197)
        at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1625)
        at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:509)
        at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499)
        at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:575)
        at java.base/java.util.stream.AbstractPipeline.evaluateToArrayNode(AbstractPipeline.java:260)
        at java.base/java.util.stream.ReferencePipeline.toArray(ReferencePipeline.java:616)
        at java.base/java.util.stream.ReferencePipeline.toArray(ReferencePipeline.java:622)
        at java.base/java.util.stream.ReferencePipeline.toList(ReferencePipeline.java:627)
        at org.sonar.server.qualityprofile.builtin.RuleActivator.activate(RuleActivator.java:89)
        at org.sonar.server.qualityprofile.builtin.BuiltInQProfileUpdateImpl.update(BuiltInQProfileUpdateImpl.java:77)
        at org.sonar.server.qualityprofile.RegisterQualityProfiles.update(RegisterQualityProfiles.java:006)
        at org.sonar.server.qualityprofile.RegisterQualityProfiles.lambda$start$1(RegisterQualityProfiles.java:104)
        at java.base/java.lang.Iterable.forEach(Iterable.java:75)
        at org.sonar.server.qualityprofile.RegisterQualityProfiles.start(RegisterQualityProfiles.java:99)
        at org.sonar.core.platform.StartableBeanPostProcessor.postProcessBeforeInitialization(StartableBeanPostProcessor.java:33)
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyBeanPostProcessorsBeforeInitialization(AbstractAutowireCapableBeanF                       actory.java:440)
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1796)
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:620)
        ... 19 common frames omitted
2024.01.01 00:11:12 INFO  web[][o.s.p.ProcessEntryPoint] Hard stopping process
2024.01.01 00:11:12 INFO  web[][o.s.s.e.CoreExtensionStopper] Stopping Governance
2024.01.01 00:11:12 INFO  web[][o.s.s.e.CoreExtensionStopper] Stopping Governance (done) | time=1ms
2024.01.01 00:11:12 INFO  web[][o.s.s.n.NotificationDaemon] Notification service stopped
2024.01.01 00:11:12 INFO  web[][c.z.h.HikariDataSource] HikariPool-1 - Shutdown initiated...
2024.01.01 00:11:12 INFO  web[][c.z.h.HikariDataSource] HikariPool-1 - Shutdown completed.

==> /opt/sonarqube/logs/sonar.log <==
2024.01.01 00:11:12 INFO  app[][o.s.a.SchedulerImpl] Process[Web Server] is stopped

==> /opt/sonarqube/logs/nohup.log <==
2024.01.01 00:11:12 INFO  app[][o.s.a.SchedulerImpl] Process[Web Server] is stopped

==> /opt/sonarqube/logs/es.log <==
2024.01.01 00:11:12 INFO  es[][o.e.n.Node] stopping ...
2024.01.01 00:11:12 INFO  es[][o.e.c.f.AbstractFileWatchingService] shutting down watcher thread
2024.01.01 00:11:12 INFO  es[][o.e.c.f.AbstractFileWatchingService] watcher service stopped
2024.01.01 00:11:12 INFO  es[][o.e.n.Node] stopped
2024.01.01 00:11:12 INFO  es[][o.e.n.Node] closing ...
2024.01.01 00:11:12 INFO  es[][o.e.n.Node] closed

==> /opt/sonarqube/logs/sonar.log <==
2024.01.01 00:11:12 INFO  app[][o.s.a.SchedulerImpl] Process[ElasticSearch] is stopped
2024.01.01 00:11:12 WARN  app[][o.s.a.p.AbstractManagedProcess] Process exited with exit value [ElasticSearch]: 001

==> /opt/sonarqube/logs/nohup.log <==
2024.01.01 00:11:12 INFO  app[][o.s.a.SchedulerImpl] Process[ElasticSearch] is stopped

==> /opt/sonarqube/logs/sonar.log <==
2024.01.01 00:11:12 INFO  app[][o.s.a.SchedulerImpl] SonarQube is stopped

==> /opt/sonarqube/logs/nohup.log <==
2024.01.01 00:11:12 WARN  app[][o.s.a.p.AbstractManagedProcess] Process exited with exit value [ElasticSearch]: 001
2024.01.01 00:11:12 INFO  app[][o.s.a.SchedulerImpl] SonarQube is stopped

[NIGCH]

Hi @Reamer, this is happening after the security hotspot rule was removed. Does this need reinstating or does something else need to change?

[Reamer]

I have not yet tried this myself. I also don't know how to remove Rules. Maybe you have to mark them as deprecated first. Is there still the feature of security hotspots in SonarQube 10.2?

[NIGCH]

Yes, so I've created a PR to reinstate it (the original change was just to remove a deprecated method on the rule).

[Reamer]

I have just released 5.0.0. With the new version and the help of @NIGCH , the error should no longer occur.