-
Notifications
You must be signed in to change notification settings - Fork 130
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sonarqube + dependency-check plugin for dotnet #473
Comments
In general, we need to analyze the dotnet project file so that we can link new SonarQube issues against parts of this file. |
Hello, @Reamer, thank you for answer. In project we have .csproj file and sonar links all issue with parts of code. I do not see any problem with work of SQ, only this warning. |
This plugin converts all vulnerabilities found by dependency-check into SonarQube issues and tries to link these issues to a project file (e.g. pom.xml, package-lock.json ...). So this project file must be part of To find the correct line in this project file, the plugin analyzes this file. If no project file is found as in your case this plugin links the issues against the SonarQube project. This has several disadvantages when working with the issues.
|
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days. |
Hello, I am use Sonarqube EE 8.4.2 with Dependency-Check plugin v 2.0.6
SonarQube parse json-report. But in logs for dotnet-project i see such info warning:
“INFO: No project configuration file, e.g. pom.xml, .gradle,.gradle.kts,package-lock.json found, therefore it isn’t possible to correctly link dependencies in file”.
And then:
“INFO: Linking 41 dependencies”
Can you tell me, please, what does it mean for dotnet-project and does it affect to work with vulnerable dependencies in sonar? As i see, sonar linking dependencies and create vulnerability in project page.
The text was updated successfully, but these errors were encountered: