The OWASP Dependency Checker can be used to check for known vulnerabilities in a variety of eco-systems. This tool produces a HTML based report, but I wanted to expose the issues in SonarCloud. The problem is that SonarCloud does not allow ingestion of OWASP Dependency Checker vulnerabilities out the box.
However, there is the option to ingest Generic Issue Data. To make use of this I just needed to change my XML results file to a JSON format
Once this was done the only remaining step was to tell SonarCloud where the coverted JSON file was
# Additional properties that will be passed to the scanner,
# Put one key=value per line, example:
# sonar.exclusions=**/*.bin
sonar.cpd.exclusions=**/AssemblyInfo.cs,**/*.g.cs, **/Migrations/**/*.cs
sonar.cs.vscoveragexml.reportsPaths=$(Agent.TempDirectory)/**/*.coveragexml
sonar.cs.vstest.reportsPaths=$(Agent.TempDirectory)/**/*.trx
# the full path location of the converted file
sonar.externalIssuesReportPaths=dependancy-results.json
Now the OWASP Dependency Checker vulnerabilities appear in SonarCloud, but with a few limitations
- Issues cannot be managed within SonarCloud; for instance, there is no ability to mark them as False Positive.
- The activation of the rules that raise these issues cannot be managed within SonarCloud.
- External rules are not visible on the Rules page or reflected in any Quality Profile.
- My script only does a simple mapping of the different issue formats - but this could be modified to meet any other specific needs
- Issues have to be mapped to a file already under analysis, you can’t have general project issues.
That all said, I think this is a nice solution to having a single dashboard for monitoring all my software supply chain issues.