Showing OWASP Dependency Check results in SonarCloud

Sep 29, 2022 · 2 min read · Tech Tips ·

Share on:

The OWASP Dependency Checker can be used to check for known vulnerabilities in a variety of eco-systems. This tool produces a HTML based report, but I wanted to expose the issues in SonarCloud. The problem is that SonarCloud does not allow ingestion of OWASP Dependency Checker vulnerabilities out the box.

However, there is the option to ingest Generic Issue Data. To make use of this I just needed to change my XML results file to a JSON format

Once this was done the only remaining step was to tell SonarCloud where the coverted JSON file was

1# Additional properties that will be passed to the scanner, 
2# Put one key=value per line, example:
3# sonar.exclusions=**/*.bin
4sonar.cpd.exclusions=**/AssemblyInfo.cs,**/*.g.cs, **/Migrations/**/*.cs
5sonar.cs.vscoveragexml.reportsPaths=$(Agent.TempDirectory)/**/*.coveragexml
6sonar.cs.vstest.reportsPaths=$(Agent.TempDirectory)/**/*.trx
7# the full path location of the converted file
8sonar.externalIssuesReportPaths=dependancy-results.json

Now the OWASP Dependency Checker vulnerabilities appear in SonarCloud, but with a few limitations

Issues cannot be managed within SonarCloud; for instance, there is no ability to mark them as False Positive.
The activation of the rules that raise these issues cannot be managed within SonarCloud.
External rules are not visible on the Rules page or reflected in any Quality Profile.
My script only does a simple mapping of the different issue formats - but this could be modified to meet any other specific needs
Issues have to be mapped to a file already under analysis, you can't have general project issues.

That all said, I think this is a nice solution to having a single dashboard for monitoring all my software supply chain issues.