Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

work-around for issue #55 #61

Merged
merged 1 commit into from
Aug 6, 2018
Merged

work-around for issue #55 #61

merged 1 commit into from
Aug 6, 2018

Conversation

sschober
Copy link
Contributor

@sschober sschober commented May 4, 2018
edited

This is just a proof-of-concept implementation, meant to support my supposition: it indicates, that issue #55 is caused by invalid comparison strategies in SonarQube.

This work-around solution uses dependency-check-report.xml as input component to report the issues on. That way there is a sensible line number that can be attached to each issue, thus circumventing the sorting issue.

@sschober
work-around for issue 55
f5a1775 
use dependency-check-report.xml as inputFile

dependency-check-report.xml has an entry for each vulnerability, which
can be referenced by line, thus avoiding the shuffling problem.
@sschober sschober mentioned this pull request May 4, 2018
Closed
@stevespringett
Copy link
Contributor

@sschober Apologies for the delay. Big thanks for the PR.

@stevespringett stevespringett merged commit 2d98aed into dependency-check:master Aug 6, 2018
@stevespringett stevespringett mentioned this pull request Aug 21, 2018
Closed
@TobiX
Copy link

TobiX commented Aug 28, 2018

I'm not sure this is the "proper" fix. Now all my Maven projects only throw warnings in the style of:

[WARNING] skipping dependency 'jackson-core-2.9.6.jar' as no inputFile could established.

and no issues are reported anymore :(

@sschober
Copy link
Contributor Author

Hm, besides the typo that message means your dependency-check-report.xml cannot be found.

@TobiX
Copy link

TobiX commented Sep 2, 2018

But that should be impossible at that point, since it has been found before to iterate the dependencies...

@TobiX
Copy link

TobiX commented Sep 2, 2018

Is it possible that this only works if the user manually adds the report XML as an input file to the SonarQube analysis?

@srudolph-credera
Copy link

@TobiX - I just ran into the same issue and yes, the report XML file needs to be inside a path defined by the sonar.sources property.

@TobiX TobiX mentioned this pull request Oct 17, 2018
Closed
@jordannstrong jordannstrong mentioned this pull request Jul 27, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@sschober @stevespringett @TobiX @srudolph-credera