Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

use npm audit report in SonarQube

I'm working on web application. I need to check security of dependencies.

I'm actually scanning my source code with OWASP dependency check but i think it's not the best tool to use on web app. I think npm audit or yarn audit is better tool to check dependencies security of this king of application.

With OWASP, i use OWASP SonarQube Project to integrate result into sonarQube Example of settings used :

sonar.dependencyCheck.reportPath=$(System.DefaultWorkingDirectory)/DependencyCheckResults/dependency-check-report.xml
sonar.dependencyCheck.htmlReportPath=$(System.DefaultWorkingDirectory)/DependencyCheckResults/dependency-check-report.html

In the same way, is there a way to use the npm audit (or yarn audit) report into SonarQube?

At the moment i generate report in json format, using this command:

npm audit --json

I also know that it's possible to generate HTML report from npm audit with https://github.com/eventOneHQ/npm-audit-html

So, it's just missing a SonarQube plugin to import it or something like that, but i can't find it.

like image 249
Geoffrey Lalloué Avatar asked Sep 13 '19 15:09

Geoffrey Lalloué


1 Answers

currently, this does not seem to be possible. however, this npm rfc 0004 specifies a npm audit --owasp flag with solving this problem. this rfc was accepted, but is not yet implemented.

maybe it is worth a try to parse the output of npm audit --json with some sonarQube plugin, but I have no more knowledge about how to do this.

Edit 2021-08-09

the npm rfc was withdrawn:

The npm cli team would be happy to land this change in case it comes from a community contribution, this withdrawn was based on the fact that this is not remotely closed to being in the roadmap of the current team.

like image 141
haja Avatar answered Oct 19 '22 18:10

haja