TFS 2017: SonarQube + OWASP Dependency Check for Java (maven) projects

[Carlo Reggiani]

Hi

I'm trying to use the SonarQube plugin for TFS 2017 (update 2) in conjunction with OWASP Dependency Check tool for a java project.

For .Net projects is easy to configure: it is possible to add the Sonarqube analisys task AFTER the command task for DepCheck Client execution in the build folder: the tool produce the html/xml report for the nexr SonarQube (with DevCheck plugin) analisys.

For maven task is not possible to use the SonarQube Analisys Task, but I have to use the SonarQube analisys enabling it in the Maven Task, no way to execute DepCheck client analisys immediatly after the mavena artifact build to produce the xml/html report ant THEN execut SonarQube with the DepCheck plugin.

Not clear why the SonarQube plugin for TFS has different configuration for .Net and Java projects....

Any idea?

Carlo

[Julien HENRY]

Hi,

The SonarScanner for Maven is a Maven plugin. It work better when part of the build reactor:

mvn package sonar:sonar

That's why the configuration is different than for MSBuild projects.

You should make the owasp dependency checker part of the Maven build, for example using this plugin. Since the SonarScanner is an aggregator mojo, it will run at the end, after DepCheck reports are produced.

++

Julien