英文:
Can't see CVEs (vulnerabilities) on Sonar UI under Project>Issues. Used to see them in the past. Has anything changed?
问题
我们正在使用Jenkins和OWASP DependencyCheck的Sonar插件的组合 https://owasp.org/www-project-dependency-check/。在Jenkins中的流水线构建过程中生成了HTML和JSON报告,还可以在Sonar的Project>More>Dependency Check中看到HTML报告,但是在Sonar的Project>Issues>Security Category>OWASP Top 10中不再列出漏洞(CVEss),我们以前能够在那里看到CVEs。
有什么变化吗?
以前我们能够看到它们,就像下面的截图所示。
所使用的dependency-check版本
Jenkins Dependency Check插件:5.4.0
Sonar Dependency check插件:3.0.1
我阅读了这个https://sonarsource.atlassian.net/browse/SONAR-11970,但不确定是否是不再显示CVEs在OWASP Top 10类别下的原因。
英文:
We're using a combination of Jenkins and Sonar Plugin of OWASP DependencyCheck https://owasp.org/www-project-dependency-check/. The reports in HTML and JSON getting generated during pipeline build in Jenkins and also could see html reports from Project>More>Dependency Check in Sonar, but the vulnerabilities (CVEss) are no longer listed under Project>Issues>Security Category>OWASP Top 10 in Sonar. We were able to see the CVEs there in the past.
Has anything been changed?
We were able to see them before like shown in the screenshot below
Version of dependency-check used
Jenkins Dependency Check plugin: 5.4.0
Sonar Dependency check plugin: 3.0.1
I read about this https://sonarsource.atlassian.net/browse/SONAR-11970 but not sure if that's the reason behind now showing up CVEs under OWASP Top 10 category.
答案1
得分: 0
我修复了这个问题,与我在Jenkins中使用的dependency-check版本存在兼容性问题。降低dependency-check版本解决了这个问题。
英文:
I fixed this issue, there was a compatibility issue with the dependency-check version I was using in Jenkins. Downgrading the dependency-check version fixed the issue.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论