-
Notifications
You must be signed in to change notification settings - Fork 138
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
JSON output file in SonarQube format #414
Conversation
947add6
to
c22b939
Compare
Hey @joserenatosilva, This PR is a great contribution, but could you add some tests for the new functions ( Could you add a wiki page explaining how this integration can be done? |
dcba975
to
b5c048e
Compare
@mdjunior the wiki page still missing, but I updated the CLI client (added spotbugs, gitleaks and sonarqube integration). CLI Update
SonarQube Update
I'll test the SonarQube integration manually and report back. |
It looks like SonarQube always needs an existing file and a valid line number, how do we approach our low vulnerability indicating that no requirements.txt, yarn.lock or package.json file is missing? Create an empty file and point line 1? I need to fix that, so I'll move back to WIP |
Line number now correctly starts at 1 Added security tool concatenated to the vulnerability language to identify which tool generated that output If theres no file path now we create a placeholder file with a hardcoded text to meet the filepath requirement from SonarQube If the vuln is from GoSec we extract the container base path (currently /go/src/code/) from the vulnerability filePath since GoSec saves the absolute file path
5a32df3
to
3a26712
Compare
As it is now the client creates a file named Regarding my last commentary:
There are more problems with missing files, in case of vulnerable dependencies, the security tools don't report an associated file and its line (requirements.txt, yarn.lock, package-lock.json, etc.). Aiming to solve all of the missing files cases I created a check that verifies if there's no file associated with a given vulnerability and creates a placeholder file with content:
The SonarQube integration won't work correctly locally with our generated export HUSKYCI_CLIENT_REPO_URL="https://github.com/globocom/huskyCI.git"
export HUSKYCI_CLIENT_REPO_BRANCH="vulns-Golang"
export HUSKYCI_CLIENT_API_ADDR="http://localhost:8888"
export HUSKYCI_CLIENT_API_USE_HTTPS="false"
export HUSKYCI_CLIENT_TOKEN="HUSKYCITOKEN" As we execute the sonar-scanner with: It should work in a CI context since the container should have the current code/branch inside the pipeline. @mdjunior, @rafaveira3 How should we approach this local SonarQube execution? |
Hey, @joserenatosilva! This is a great contribution! 🚀 Thanks a lot for your time and effort in working on this one. As we do not use Sonar in our local environment (via docker-compose, for example), we can think about this in another moment. It would be great if we focus on the CI context. 🙃 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the pair review, @joserenatosilva! Sounds good to me! Let's test this integration in DEV and check for any bugs found.🚀
Closes #370
This PR aims to enable the huskyCI-client to create a JSON output file compatible with Sonarqube generic issue importation. As it is, every execution creates/overwrites a json file named
result.json
inside a folderhuskyCI
created in the current working directory.