Search code examples
.net.net-coreteamcitysonarqube-scansonarscanner

Dependency Checker with TeamCity and SonarQube for .Net Framework and .Net Core

I'm having an issue sending the Dependency Checker output from the build agent to the SonarQube server. I'm not sure if it's the commands I use with Dependency Checker or the SonarQube setup on the server / client side. I get scan outputs reported into SonarQube for .cs, .js, .css etc .. but the output from the dependency scan is not visible in the dependency checker widget. However, if I check the work folder for the particular build, there are three files that has been created from the owasp dependency checker which haven't been picked up.

What I've done to prepare before doing the scan:

  • Downloaded OWASP dependency-check-cli from https://jeremylong.github.io/DependencyCheck/dependency-check-cli/index.html
  • Extracted OWASP dependency-check-cli to a directory and added the Path as an environment value on the build agent server
  • Installed the Dependency checker plugin on SonarQube via the marked place
  • Installed the sonarscanner on the build agent server via the build agent service account
  • Removed the ${Workspace}/ value from the report fields in the dependency check plugin in SonarQube
    • The value is now just dependency-check-report.html/json/xml (pending on the field).

The command I used to install the dotnet-sonarscanner via .Net Core:

dotnet tool install --global dotnet-sonarscanner

The OWASP dependency-check-cli command (running from the root of checkoutDir on the build agent):

dependency-check.bat --project "%system.teamcity.projectName%" --scan . -f ALL --log D:\DependencyLogs\verbose.log

In order for the RetireJs functionality to work, I had to debug the log and download directly the json file which couldn't be retrieved directly. I think I need to add overrides for the proxy for https as well by using java parameters (/d:)

The Sonar Scanner begin command:

dotnet sonarscanner begin /k:%ProjectKey% /n:"%ProjectName%" /d:sonar.login=%SonarQube.UserToken% /d:sonar.host.url=%SonarQube.Host.Url%"

If I f.ex add the parameter /d:sonar.dependencyCheck.xmlReportPath=%system.teamcity.checkoutDir%/dependency-check-report.xml, it is resolved to the checkoutdir with an added /src/ behind of dependency-check-report.xml

The Sonar Scanner end command:

dotnet sonarscanner /d:sonar.login=%SonarQube.UserToken% end

If I add 

%system.teamcity.build.workingDir%/dependency-check-report.html

to html, xml or json field in the plugin properties in sonarqube:

[23:19:08]  [Step 1/1] INFO: Dependency-Check JSON report does not exists. Please check property sonar.dependencyCheck.jsonReportPath:D:\TeamCityBuildAgent\work\a7450333ae6fcf0c\%system.teamcity.build.workingDir%\dependency-check-report.json
[23:19:08]  [Step 1/1] INFO: JSON-Analysis skipped/aborted due to missing report file
[23:19:08]  [Step 1/1] INFO: Using XML-Reportparser
[23:19:08]  [Step 1/1] INFO: Dependency-Check XML report does not exists. Please check property sonar.dependencyCheck.xmlReportPath:D:\TeamCityBuildAgent\work\a7450333ae6fcf0c\%system.teamcity.build.workingDir%\dependency-check-report.xml
[23:19:08]  [Step 1/1] INFO: XML-Analysis skipped/aborted due to missing report file
[23:19:08]  [Step 1/1] INFO: Dependency-Check HTML report does not exists. Please check property sonar.dependencyCheck.htmlReportPath:D:\TeamCityBuildAgent\work\a7450333ae6fcf0c\%system.teamcity.build.workingDir%\dependency-check-report.html
[23:19:08]  [Step 1/1] INFO: HTML-Dependency-Check report does not exist.

if I remove the workingdir, so it looks like this in sonarqube:

dependency-check-report.html

The output looks like this:

[23:26:38]  [Step 1/1] INFO: Sensor Dependency-Check [dependencycheck]
[23:26:38]  [Step 1/1] INFO: Process Dependency-Check report
[23:26:38]  [Step 1/1] INFO: Using JSON-Reportparser
[23:26:39]  [Step 1/1] WARN: JSON-Analysis aborted
[23:26:39]  [Step 1/1] INFO: Using XML-Reportparser
[23:26:39]  [Step 1/1] INFO: We doesn't found any Project configuration file e.g. pom.xml, gradle.build, build.gradle.kts, package-lock.json and can not link dependencies
[23:26:39]  [Step 1/1] INFO: Linking 662 dependencies to project
[23:26:39]  [Step 1/1] INFO: Upload Dependency-Check HTML-Report
[23:26:39]  [Step 1/1] INFO: Process Dependency-Check report (done) | time=959ms
[23:26:39]  [Step 1/1] INFO: Sensor Dependency-Check [dependencycheck] (done) | time=960ms

So that should have worked. The Dependency-Check HTML is completed and uploaded, but when I look at the dependencies reported in SonarQube, the view is empty. What am I missing ..?

The output is there though:

enter image description here

Solution

  • Currently the official plugin to SonarQube (version 2.0.2), has a bug which does not show the html result.

    If you want it to work, you currently need to get the latest snapshot from this branch https://github.com/dependency-check/dependency-check-sonar-plugin/tree/rewrite_javascript