SonarCloud: OWASP Dependency-Check reports owasp dependency check sonarcloud

SonarCloud: OWASP Dependency-Check reports

SonarCloud is a hosted SonarQube SaaS solution which helps you with code quality management. It is free to use for open source projects. You cannot install 3rd party plugins in SonarCloud however. This puts some limitations on the kind of data you can put in SonarCloud. For Java this is limited to Checkstyle, PMD and SpotBugs reports. OWASP provides a Dependency-Check plugin to identify vulnerable dependencies in for example your pom.xml file. In this blog post I’ll show how to get OWASP Depedency-Check data in SonarCloud without using a 3rd party plugin! Disclaimer: this solution has been created in ~2 hours and has not been seriously tested, optimized or used in production environments. Use at your own risk!


Method used

SonarCloud can import CheckStyle, PMD, SpotBugs result data. The output XML files which are generated by those plugins, conform to a specific format. SpotBugs and PMD provide an XSD for that. CheckStyle doesn’t have one (read here). The Dependency-Check results also have an XSD (here).

I checked out the different XSDs and decided the PMD XSD was easiest to use. I created an XSLT transformation to transform the Dependency-Check result to a PMD result file and send that to SonarCloud. Although SonarCloud displayed the ‘Vulnerabilities’ as ‘Code Smells’ without tags, the results are definitely usable!

Build process

In my pom.xml first the Dependency-Check report needed to be generated before I could perform a transformation. When performing the transformation, I needed to have XSLT 2.0 support to easily get the current date/time for a timestamp. This required an additional dependency. You can take a look at my pom.xml file here. I executed a

“mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.java.pmd.reportPaths=target/pmd.xml,target/dependency-check-report-pmd.xml”

to generate the report and send it to SonarCloud. Notice you can specify a comma separated list of PMD files to send. Checkout my GitHub workflow for more details on the exact build process and if you’re interested, this blog post on how I setup GitHub Actions and SonarCloud interaction.

SonarCloud: OWASP Dependency-Check reports build process
Relevant code from my pom.xml file

Transformation

I created the following transformation (dependencycheck_to_pmd.xsl) which you can download here:

SonarCloud: OWASP Dependency-Check reports transformation
Transforming a Dependency-Check report to a PMD report

I did encounter some challenges;

  • The current-dateTime function which required XSLT 2.0. This required an additional dependency (Saxon). in my pom.xml file.
  • Transforming the CVSS3 rating to a PMD severity rating. PMD uses 1 for highest severity and 5 for lowest. CVSS3 uses 10 for highest and 0 for lowest.
  • The file the issue refers to is required to exist in your code. Supplying the JAR file which causes the issue did not work so I set it to my pom.xml
  • Required fields like line number. 0 is not allowed so I set them to 1. Determining the exact line in the pom.xml which caused a specific dependency to be included, did not seem like it was easy to do.
  • I did not find the externalInfoUrl in SonarCloud in a location I could click on. Now you have to go to the NVD site yourself and look for the issue if you want more information.

Result

The result of feeding the resulting PMD results file to SonarCloud was that I could see the issues with correct severity in SonarCloud with several interesting fields in the description like the CVSS score and CVE code.

SonarCloud: OWASP Dependency-Check reports sonarcloud dependency check data
SonarCloud displaying Dependency-Check results (as a transformed PMD report)

This does look a bit worse though than using a ‘native’ Dependency-Check report and 3rd party plugin in SonarQube. For example, tags are missing and they are reported as “Code Smell” instead of “Vulnerability”. Also more vulnerabilities are reported when using this method compared to the SonarQube setup. I have not looked into this in more detail but since they refer to the same file, fixing that will probably get rid of all issues.

SonarCloud: OWASP Dependency-Check reports sonarqube
SonarQube with a 3rd party Dependency-Check plugin