SonarQube dependency check sonar plugin

Question

I'm having issues with displaying vulnerabilities on SonarQube. Here are the steps I followed:

1. Installed dependency-check-sonar-plugin version 1.0.3 on SonarQube.

2. Configured dashboard to include Vulnerabilities widjet.

3. Generated dependency report using: mvn org.owasp:dependency-check-maven:1.3.6:check -Dformat=XML.

4. Report was placed into [project]/target/dependency-check-report.xml

5. Ran sonar task: org.codehaus.mojo:sonar-maven-plugin:2.3:sonar Task completed successfully but I don't see data in the Vulnerabilities widjet. Anyone has idea what could prevent plugin from seeing report?

Thanks in advance! Rada

Answer 1

To solve the issue I contacted Steve Springett, creator of the plugin. He has great end-to-end examples of how plugin should be configured.
I added <sonar.dependencyCheck.reportPath>${dependency.check.report.dir}/dependency-check-report.xml</sonar.dependencyCheck.reportPath> to the properties of my pom and used following two plugins:

<plugin>
    <groupId>org.codehaus.mojo</groupId>
    <artifactId>sonar-maven-plugin</artifactId>
    <version>2.6</version>
</plugin>
<plugin>
    <groupId>org.owasp</groupId>
    <artifactId>dependency-check-maven</artifactId>
    <version>1.3.1</version>
    <configuration>
        <format>XML</format>
        <outputDirectory>${dependency.check.report.dir}</outputDirectory>
    </configuration>
</plugin>