I'm feeding ThreadFix Sonar Plugin a XML Report created by OWASP ZAP,
The only information I'm getting in SonarQube from this report is the ThreadFix Total Vulnerabilities, is this normal?
What kind of output should be expected in Sonar from static reports and dynamic reports?
Thanks,
Tiago Lopes.
"[ERROR] Failed to execute goal org.sonarsource.scanner.maven:sonar-maven-plugin:3.0.2:sonar (default-cli) on project platform: Error creating bean with name 'getPersistenceExceptionTranslationPostProcessor' defined in class com.denimgroup.threadfix.importer.util.SpringConfiguration: Initialization of bean failed; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'annotationSessionFactoryBean' defined in class com.denimgroup.threadfix.importer.util.SpringConfiguration: Instantiation of bean failed; nested exception is org.springframework.beans.factory.BeanDefinitionStoreException: Factory method [public org.springframework.orm.hibernate3.annotation.AnnotationSessionFactoryBean com.denimgroup.threadfix.importer.util.SpringConfiguration.annotationSessionFactoryBean()] threw exception; nested exception is java.lang.NoClassDefFoundError: javax/persistence/Entity: javax.persistence.Entity "
Dynamic Finding (has not been merged with a Static Finding)
Dynamic findings that have not been merged to a static findings are associated with a default file which can be configured in your sonar-project.properties.
with this setup Sonar Plugin 2.2 (downloaded from your website) works, but finds 0 issues using the ThreadFix profile and
findings imported from a XML report only appear in the Measures menu as "ThreadFix Total Vulnerabilities", no further information is provided.
Using Sonar Plugin 2.2 (downloaded from ThreadFix 2.2.7.2 CE) I get the ERROR mentioned above and the same applies for the version 2.3.
Is it my configuration or perhaps the setup (versions installed)?
If possible please share a test project for me to run.
Thanks.
Tiago,
It might be a configuration problem. To confirm, are you running the plugin in Local Mode? When you switch plugins are you removing the previous plugin completely? When switching/installing plugins have you restarted SonarQube?
Below is a list of compositions you have tried and their results, does everything look correct?
ThreadFix 2.3 / Sonar Plugin 2.3 / SonarQube 5.5 / SonarRunner 2.6.1 -> maven error
ThreadFix 2.3 / Sonar Plugin 2.2 (Downloaded from TF) / SonarQube 5.5 / SonarRunner 2.6.1 -> works, with no results [NOT RECOMMENDED]
ThreadFix 2.2.7.2 / Sonar Plugin 2.2 (Downloaded from TF) / SonarQube 5.5 / SonarRunner 2.6.1 -> maven error
ThreadFix 2.3 / Sonar Plugin 2.2 (Downloaded from Web) / SonarQub 5.5 / SonarRunner 2.6.1 -> works, with no results [NOT RECOMMENDED]
ThreadFix 2.2.7.2 / Sonar Plugin 2.2 (Downloaded from Web) / SonarQub 5.5 / SonarRunner 2.6.1 -> works, with no results
I recommend staying on ThreadFix 2.3 and the latest Sonar Plugin downloaded from ThreadFix 2.3 while troubleshooting.
That being said, we've logged this as an issue to investigate. Unfortunately, our enterprise clients have to come first, so we have not yet had an opportunity to dig further into the issue.
We are in the final testing phase for our 2.4 enterprise release due end of June, after which we should be able to provide more insight into this.
I appreciate your patience,
Changes:
Updated SonarQube to 5.6
Testing project: WebGoat(-develop)
https://github.com/WebGoat/WebGoat
Feeding Sonar Plugin with ZAP scan of Webgoat on the following setup:
ThreadFix 2.3 / Sonar Plugin 2.3 / SonarQube 5.6 / SonarRunner 2.6.1
-> maven error persists
Log(Jenkins, SonarQube and ThreadFix Plugin): http://pastebin.com/j6pJyit5
_________________________________________________________________________
Feeding Sonar Plugin with ZAP and AppScan Source scan of Webgoat on the following setup:
ThreadFix 2.3 / Sonar Plugin 2.2 (Downloaded from Web) / SonarQube 5.6 / SonarRunner 2.6.1
-> works, with no results[NOT RECOMMENDED]
Even thought there's 104 ThreadFix Total Vulnerabilities no new issues were created.
Log(Jenkins, SonarQube and ThreadFix Plugin): http://pastebin.com/FtEHtDUP
No progress was made.
Yes to everything, running local mode using maven project with maven setup, I remove it completely and restart.
The list is correct.