i attached error screenshot.

Hi,

This plugin seems good! Congratulation for the initiative.
However, could you officially publish it to the sonar plugin homepage?

Thanks!

Switch to using OpenJDK (because the license on Oracle JDK is no longer friendly). Switch to OpenJDK 11 because that is what SonarQube Server now requires.

From https://docs.sonarqube.org/latest/requirements/requirements/:

SonarQube analysis requires version 8+ of the JVM and the SonarQube Server requires version 11+.

Would u mind downgrade to compatible with 4.5.6?

Depshield will be deprecated on Monday December 12th

Please install our new product, Sonatype Lift with advanced features

Hello Steve,

First of all I want to thank you for writing and sharing this plugin to view the scan Zap information in Sonar .I am new using these all technology and have some doubt the function. I´ve been working with this plugin to get reports and I have a doubt, if you don´t mind to regarding my question please because I am a little bit lost, I will appreciated .

I am working with the plugin called zap-maven-plugin, where I executed a scan spider zap. The project generated some reports in the folder of the project (C:\workspace\zap-maven-plugin-master\zap-maven-plugin-parent\target\zap-reports):
• zapReport.html
• zapReport.xml
• zapSpiderResults.html
• zapSpiderResults.xml

I download the plugin “Zap-sonar-plugin” to compiled and installed on SonarQube 5.6.3 TLS. First of all, I did some configuration in the pom.xml the get the report , like I had read in some post.

--
<sonar.zaproxy.report.dir>${project.build.directory}/target/zap-reports</sonar.zaproxy.report.dir>
<sonar.version>5.1</sonar.version>
<sonar.pluginClass>org.sonar.zaproxy.ZapPlugin</sonar.pluginClass>
<sonar.pluginName>ZAP</sonar.pluginName>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<sonar.host.url>http://localhost:9000/</sonar.host.url>
<sonar.sources>src/main/java</sonar.sources>
<sonar.zaproxy.reportPath>${sonar.zaproxy.report.dir}zapReport.xml</sonar.zaproxy.reportPath>
--

But when I installed the plugin Sonar doesn´t get any report and give me the result of “No data”.

What I like to do, is a Scan ZAP automated to identify OWASP Vulnerabilities, and get integration reporting.
¿I have to change more parameters in the projects?, ¿is it better to use another plugin to do the Scan ZAP to the The 10 most important safety indicators according to OWASP?

Sorry for the inconvenience and thank you very much for your time.

Regard
Francisco Sánchez

Hi Steve,
I am trying to use the ZAP plugin for sonar cube integration.

Issue 1)
I have added 3 more rules as you suggested in rules.xml -Generated Jar(available in zip). Added Jar to plugin in sonar cube.
I can see the rules in Zap rules area and also if I run Sonar scanner – I can see they are mapped in Plugin-Not On project area Vulnerabilities .

Plus if I click on plug in Alert link it is not mapping with Zap rule.

Issue 2)
I have even tried the rules by adding them to myrules.xml – the rule’s are not recognized in scanner.
Any help would be much appreciated.

Attached Zip Contains files i have used/tried.

zap-sonar_Issues.zip

-Dsonar.zapproxy.reportPath=C:Program Files (x86)JenkinsworkspaceMyTestApp

Making it impossible to use the plugin. Is there a way to reference "projectBaseDir" instead?

Vulnerabilities

DepShield reports that this application's usage of kind-of:5.1.0 results in the following vulnerability(s):

• (CVSS 5.3) CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Occurrences

kind-of:5.1.0 is a transitive dependency introduced by the following direct dependency(s):

• react-dev-utils:11.0.1
        └─ fork-ts-checker-webpack-plugin:4.1.6
              └─ micromatch:3.1.10
                    └─ snapdragon:0.8.2
                          └─ define-property:0.2.5
                                └─ is-descriptor:0.1.6
                                      └─ kind-of:5.1.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

The project could not be analyzed because of build errors. Please review the error messages here. Another build will be scheduled when a change to a manifest file^* occurs. If the build is successful this issue will be closed, otherwise the error message will be updated.

_{This is an automated GitHub Issue created by Sonatype DepShield. GitHub Apps, including DepShield, can be managed from the Developer settings of the repository administrators.}

_{* Supported manifest files are: pom.xml, package.json, package-lock.json, npm-shrinkwrap.json, Cargo.lock, Cargo.toml, main.rs, lib.rs, build.gradle, build.gradle.kts, settings.gradle, settings.gradle.kts, gradle.properties, gradle-wrapper.properties, go.mod, go.sum}

In my Jenkins pipeline I have integrated a Zap scan that scans multiple targets, for each target a ZAP report is generated. I want to upload multiple ZAP reports in Sonar? I have analysed the Java source code of the ZapSensor class as well as XmlReportFile/HtmlReportFile and it is not possible like this.
So is it possible to extend the logic of the ZapSensor class to handle multiple ZAP reports, or is this not possible at all for architectural reasons?
I imagine extending the two parameters "sonar.zaproxy.htmlReportPath" and "sonar.zaproxy.rulesFilePath" so that you can specify multiple reports as a path and then extending the ZapSensor class so that it processes multiple reports. Could such a logic work?

When running the plugin on SonarQube 7.x we get the following stacktrace:

ERROR web[][o.s.s.p.Platform] Background initialization failed. Stopping SonarQube
java.lang.IllegalStateException: Fail to load plugin ZAP [zap]
	at org.sonar.server.plugins.ServerExtensionInstaller.installExtensions(ServerExtensionInstaller.java:82)
	at org.sonar.server.platform.platformlevel.PlatformLevel4.start(PlatformLevel4.java:586)
	at org.sonar.server.platform.Platform.start(Platform.java:211)
	at org.sonar.server.platform.Platform.startLevel34Containers(Platform.java:185)
	at org.sonar.server.platform.Platform.access$500(Platform.java:46)
	at org.sonar.server.platform.Platform$1.lambda$doRun$0(Platform.java:119)
	at org.sonar.server.platform.Platform$AutoStarterRunnable.runIfNotAborted(Platform.java:371)
	at org.sonar.server.platform.Platform$1.doRun(Platform.java:119)
	at org.sonar.server.platform.Platform$AutoStarterRunnable.run(Platform.java:355)
	at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.IllegalStateException: Unable to register extension org.sonar.zaproxy.base.ZapMetrics from plugin 'zap'
	at org.sonar.core.platform.ComponentContainer.addExtension(ComponentContainer.java:242)
	at org.sonar.server.plugins.ServerExtensionInstaller.installExtension(ServerExtensionInstaller.java:119)
	at org.sonar.server.plugins.ServerExtensionInstaller.installExtensions(ServerExtensionInstaller.java:74)
	... 9 common frames omitted
Caused by: java.lang.NoClassDefFoundError: org/sonar/api/measures/Formula
	at java.lang.Class.getDeclaredFields0(Native Method)
	at java.lang.Class.privateGetDeclaredFields(Class.java:2583)
	at java.lang.Class.getDeclaredFields(Class.java:1916)
	at org.picocontainer.injectors.AdaptingInjection$2.run(AdaptingInjection.java:217)
	at java.security.AccessController.doPrivileged(Native Method)
	at org.picocontainer.injectors.AdaptingInjection.injectionFieldAnnotated(AdaptingInjection.java:209)
	at org.picocontainer.injectors.AdaptingInjection.fieldAnnotatedInjectionAdapter(AdaptingInjection.java:188)
	at org.picocontainer.injectors.AdaptingInjection.createComponentAdapter(AdaptingInjection.java:57)
	at org.picocontainer.behaviors.AbstractBehaviorFactory.createComponentAdapter(AbstractBehaviorFactory.java:44)
	at org.picocontainer.behaviors.OptInCaching.createComponentAdapter(OptInCaching.java:45)
	at org.picocontainer.DefaultPicoContainer.addComponent(DefaultPicoContainer.java:536)
	at org.picocontainer.DefaultPicoContainer.access$300(DefaultPicoContainer.java:84)
	at org.picocontainer.DefaultPicoContainer$AsPropertiesPicoContainer.addComponent(DefaultPicoContainer.java:1149)
	at org.sonar.core.platform.ComponentContainer.addExtension(ComponentContainer.java:240)
	... 11 common frames omitted
Caused by: java.lang.ClassNotFoundException: org.sonar.api.measures.Formula
	at org.sonar.classloader.ParentFirstStrategy.loadClass(ParentFirstStrategy.java:39)
	at org.sonar.classloader.ClassRealm.loadClass(ClassRealm.java:87)
	at org.sonar.classloader.ClassRealm.loadClass(ClassRealm.java:76)
	... 25 common frames omitted

For compatibility with SonarQube 7.x we should fix some imports.

org.sonar.api.measures.Formula no longer exists in SonarQube 7.x.
See http://javadocs.sonarsource.org/7.3/apidocs/org/sonar/api/measures/package-tree.html

I know the target release is LTS (v6 currently) but it would be nice to already support running the plugin on the next version.

Switch to JUnit 5

Vulnerabilities

DepShield reports that this application's usage of kind-of:3.2.2 results in the following vulnerability(s):

• (CVSS 5.3) CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Occurrences

kind-of:3.2.2 is a transitive dependency introduced by the following direct dependency(s):

• react-dev-utils:11.0.1
        └─ fork-ts-checker-webpack-plugin:4.1.6
              └─ micromatch:3.1.10
                    └─ snapdragon:0.8.2
                          └─ base:0.11.2
                                └─ cache-base:1.0.1
                                      └─ to-object-path:0.3.0
                                            └─ kind-of:3.2.2
                                └─ class-utils:0.3.6
                                      └─ static-extend:0.1.2
                                            └─ object-copy:0.1.0
                                                  └─ kind-of:3.2.2
                          └─ define-property:0.2.5
                                └─ is-descriptor:0.1.6
                                      └─ is-accessor-descriptor:0.1.6
                                            └─ kind-of:3.2.2
                                      └─ is-data-descriptor:0.1.4
                                            └─ kind-of:3.2.2

• webpack-dev-server:3.11.0
        └─ chokidar:2.1.8
              └─ braces:2.3.2
                    └─ fill-range:4.0.0
                          └─ is-number:3.0.0
                                └─ kind-of:3.2.2
                    └─ snapdragon-node:2.1.1
                          └─ snapdragon-util:3.0.1
                                └─ kind-of:3.2.2

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of lodash:4.17.20 results in the following vulnerability(s):

• (CVSS 7.2) [CVE-2021-23337] Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the tem...
• (CVSS 5.3) [CVE-2020-28500] All versions of package lodash; all versions of package org.fujion.webjars:lodas...

Occurrences

lodash:4.17.20 is a transitive dependency introduced by the following direct dependency(s):

• @babel/core:7.12.10
        └─ @babel/helper-module-transforms:7.12.1
              └─ lodash:4.17.20
        └─ @babel/traverse:7.12.12
              └─ lodash:4.17.20
        └─ @babel/types:7.12.12
              └─ lodash:4.17.20
        └─ lodash:4.17.20

• babel-preset-react-app:10.0.0
        └─ @babel/preset-env:7.12.1
              └─ @babel/plugin-transform-classes:7.12.1
                    └─ @babel/helper-define-map:7.10.5
                          └─ lodash:4.17.20
        └─ @babel/core:7.12.3
              └─ lodash:4.17.20

• eslint:7.17.0
        └─ @eslint/eslintrc:0.2.2
              └─ lodash:4.17.20
        └─ lodash:4.17.20
        └─ table:6.0.6
              └─ lodash:4.17.20

• react-transform-hmr:1.0.4
        └─ react-proxy:1.1.8
              └─ lodash:4.17.20

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Hi.
I was using the plugin perfectly for the last year but after update Sonarqube i get this error in the SQ pre-analisys: "Path must be a string.Received undefinded":

019-08-30T16:00:24.6116000Z ##[debug]Build.SourceBranch=undefined
2019-08-30T16:00:24.6118264Z ##[debug][SQ] Branch and PR parameters: {}
2019-08-30T16:00:24.6122259Z ##[debug]extraProperties=# Additional properties that will be passed to the scanner,

Put one key=value per line, example:

sonar.exclusions=**/*.bin

sonar.zaproxy.reportPath=E:\Agents\4_work\r276\a\OWASP-ZAP-Report-1972.xml
2019-08-30T16:00:24.6132186Z ##[debug]Agent.TempDirectory=E:\Agents\4_work_temp
2019-08-30T16:00:24.6132382Z ##[debug]Build.BuildNumber=undefined
2019-08-30T16:00:24.6155469Z ##[debug]task result: Failed
2019-08-30T16:00:24.6214218Z ##[error]Path must be a string. Received undefined

Maybe you can help me with to know the cause it failing.

Trying to integrate ZAPProxy results with sonarqube Coveros plugin but it is giving error as The rule 'ZAProxy:10049' does not exist.

Using ZAP 2.8.0
SonarQube Server: 6.7.6 community edition
SonarQube Plugiin Version: "org.sonarqube" version "2.5

Could you please fix this.

Thanks,
Rajendra

Vulnerabilities

DepShield reports that this application's usage of debug:2.6.9 results in the following vulnerability(s):

• (CVSS 7.5) CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

Occurrences

debug:2.6.9 is a transitive dependency introduced by the following direct dependency(s):

• detect-port:1.3.0
        └─ debug:2.6.9

• react-dev-utils:11.0.1
        └─ fork-ts-checker-webpack-plugin:4.1.6
              └─ micromatch:3.1.10
                    └─ extglob:2.0.4
                          └─ expand-brackets:2.1.4
                                └─ debug:2.6.9
                    └─ snapdragon:0.8.2
                          └─ debug:2.6.9
        └─ detect-port-alt:1.1.6
              └─ debug:2.6.9

• webpack-dev-server:3.11.0
        └─ compression:1.7.4
              └─ debug:2.6.9
        └─ express:4.17.1
              └─ body-parser:1.19.0
                    └─ debug:2.6.9
              └─ debug:2.6.9
              └─ finalhandler:1.1.2
                    └─ debug:2.6.9
              └─ send:0.17.1
                    └─ debug:2.6.9
        └─ serve-index:1.9.1
              └─ debug:2.6.9

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Hi!

I'm generating a full scan ZAP HTML report with this: https://www.zaproxy.org/docs/docker/full-scan/
The HTML file is being generated well. I've checked it.

I'm passing these parameters as recommended here to SonarScanner tool:

/home/jenkins/tools/hudson.plugins.sonar.SonarRunnerInstallation/sonar/bin/sonar-scanner -Dsonar.projectKey=*** -Dsonar.projectName=**** -Dsonar.branch.name=feature/14766-run-automated-pentest-scan -Dsonar.zaproxy.reportPath=tmp/zaproxy-report.xml -Dsonar.zaproxy.htmlReportPath=tmp/zaproxy-report.html

But the HTML does not show here:

PS: XML report file (tmp/zaproxy-report.xml) is being processed without any issues.

Could you help me?

It looks like the current rules.xml does not contain all issues zaproxy is generating. Please see zaproxy/zaproxy#2995

Vulnerabilities

DepShield reports that this application's usage of express:4.17.1 results in the following vulnerability(s):

• (CVSS 7.5) CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Occurrences

express:4.17.1 is a transitive dependency introduced by the following direct dependency(s):

• webpack-dev-server:3.11.0
        └─ express:4.17.1

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Hi,

Context:

• I use sonarqbe 6.4
• The .jar file, compiled as stated in this plugin readme, is on the sonarqbe plugin folder
• I analyze a maven project, coded in Java
• I launch the sonar execution manually so far by calling the maven goal sonar:sonar -Dsonar.host.url=<MySonarURL> as stated in the sonar documentation

By default my POM as no mention of sonar nor zap. I tried adding some configuration like FranciscoSan did in #6 but did not obtain any better result 😞. The 6.4 version of sonarQbe does not offer dashboards thus I can't try adding any widget to it as a check.

I'm new to this plugin, and to sonar overall, so consider telling me to do basic dumb checks, it may be that.

My Logs Overall:
"C:\Program Files\Java\jdk1.8.0_131\bin\java" -Dmaven.multiModuleProjectDirectory=<myProject LocalDirectory> "-Dmaven.home=C:\Program Files\JetBrains\IntelliJ IDEA Community Edition 2017.1.3\plugins\maven\lib\maven3" "-Dclassworlds.conf=C:\Program Files\JetBrains\IntelliJ IDEA Community Edition 2017.1.3\plugins\maven\lib\maven3\bin\m2.conf" "-javaagent:C:\Program Files\JetBrains\IntelliJ IDEA Community Edition 2017.1.3\lib\idea_rt.jar=62655:C:\Program Files\JetBrains\IntelliJ IDEA Community Edition 2017.1.3\bin" -Dfile.encoding=UTF-8 -classpath "C:\Program Files\JetBrains\IntelliJ IDEA Community Edition 2017.1.3\plugins\maven\lib\maven3\boot\plexus-classworlds-2.5.2.jar" org.codehaus.classworlds.Launcher -Didea.version=2017.1.4 sonar:sonar -Dsonar.host.url=<MySonarURL>
[INFO] Scanning for projects...
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] Building Engagement - UI testing 0.0.1-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[INFO]
[INFO] --- sonar-maven-plugin:3.3.0.603:sonar (default-cli) @ <Project> ---
[INFO] User cache: C:\Users\<me>\.sonar\cache
[INFO] Load global settings
[INFO] Load global settings (done) | time=218ms
[INFO] User cache: C:\Users\<me>\.sonar\cache
[INFO] Load plugins index
[INFO] Load plugins index (done) | time=9ms
[INFO] SonarQube version: 6.4.0
[INFO] Default locale: "fr_FR", source code encoding: "UTF-8"
[INFO] Process project properties
[INFO] Load project repositories
[INFO] Load project repositories (done) | time=42ms
[INFO] Execute project builders
[INFO] Execute project builders (done) | time=0ms
[INFO] Load quality profiles
[INFO] Load quality profiles (done) | time=22ms
[INFO] Load active rules
[INFO] Load active rules (done) | time=210ms
[INFO] Load metrics repository
[INFO] Load metrics repository (done) | time=174ms
[WARNING] SCM provider autodetection failed. No SCM provider claims to support this project. Please use sonar.scm.provider to define SCM of your project.
[INFO] Publish mode
[INFO] Project key: <myProjectKey>
[INFO] ------------- Scan <myProject>
[INFO] Load server rules
[INFO] Load server rules (done) | time=38ms
[INFO] Initializer GenericCoverageSensor
[INFO] Initializer GenericCoverageSensor (done) | time=0ms
[INFO] Base dir: <myProject LocalDirectory>
[INFO] Working dir: <myProject LocalDirectory>\target\sonar
[INFO] Source encoding: UTF-8, default locale: fr_FR
[INFO] Index files
[INFO] 102 files indexed
[INFO] Quality profile for java: Sonar way
[INFO] Sensor JavaSquidSensor [java]
[INFO] Configured Java source version (sonar.java.source): 7
[INFO] JavaClasspath initialization
[INFO] JavaClasspath initialization (done) | time=15ms
[INFO] JavaTestClasspath initialization
[INFO] JavaTestClasspath initialization (done) | time=7ms
[INFO] Java Main Files AST scan
[INFO] 102 source files to be analyzed
[INFO] 102/102 source files have been analyzed
[INFO] Java Main Files AST scan (done) | time=10903ms
[INFO] Java Test Files AST scan
[INFO] 0 source files to be analyzed
[INFO] Java Test Files AST scan (done) | time=5ms
[INFO] Sensor JavaSquidSensor [java] (done) | time=11721ms
[INFO] Sensor Analyzer for "php.ini" files [php]
[INFO] 0/0 source files have been analyzed
[INFO] Sensor Analyzer for "php.ini" files [php] (done) | time=4ms
[INFO] Sensor SurefireSensor [java]
[INFO] parsing [<myProject LocalDirectory>\target\surefire-reports]
[INFO] Sensor SurefireSensor [java] (done) | time=3ms
[INFO] Sensor JaCoCoSensor [java]
[INFO] Sensor JaCoCoSensor [java] (done) | time=1ms
[INFO] Sensor SonarJavaXmlFileSensor [java]
[INFO] Sensor SonarJavaXmlFileSensor [java] (done) | time=1ms
[INFO] Sensor Zero Coverage Sensor
[INFO] Sensor Zero Coverage Sensor (done) | time=114ms
[INFO] Sensor CPD Block Indexer
[INFO] Sensor CPD Block Indexer (done) | time=254ms
[INFO] No SCM system was detected. You can use the 'sonar.scm.provider' property to explicitly specify it.
[INFO] 6 files had no CPD blocks
[INFO] Calculating CPD for 96 files
[INFO] CPD calculation finished
[INFO] Analysis report generated in 2031ms, dir size=826 KB
[INFO] Analysis reports compressed in 402ms, zip size=373 KB
[INFO] Analysis report uploaded in 244ms
[INFO] ANALYSIS SUCCESSFUL, you can browse <MyProjectUnderSonarURL>
[INFO] Note that you will be able to access the updated dashboard once the server has processed the submitted analysis report
[INFO] Task total time: 17.260 s
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 23.498 s
[INFO] Finished at: 2017-07-11T15:56:11+02:00
[INFO] Final Memory: 26M/595M
[INFO] ------------------------------------------------------------------------
Process finished with exit code 0

Is this plugin 6.4 compliant ? Did I miss something obvious like a basic ocnfiguration ? What checks/troubleshooting can I make ?
Thanks for your time,
San.

The documentation for rulesFilePath:

# Optional - specifies additional rules outside of what's included in the core
sonar.zaproxy.rulesFilePath=${WORKSPACE}/myrules.xml

along side reportPath such as it is with the Jenkins WORKSPACE reference seems to imply that custom rules may be defined in this at analysis time. Is this the intention?

I am trying to develop my own plugin that can pass new rules in and a report that triggers them at the same time, and this looked like it might do what I want.

Am I missing how this is supposed to work? Do I have the wrong idea or am I doing it wrong? Is there an example I can follow?

For reference, here is the properties and file I am passing with the Jenkins plugin:

sonar.zaproxy.rulesFilePath=reports/test-rules.xml
sonar.zaproxy.reportPath=reports/test-report.xml

test-rules.xml

<rules>
    <rule>
        <key>1234567890</key>
        <name>Just some dynamic rule</name>
        <description>
            <![CDATA[<h3>Solution :</h3>
                <p>There is a problem, please fix it.</p>
		<h3>References:</h3>
		<ul>
		<li>No Reference.</li>
		</ul>]]>
        </description>
        <severity>MAJOR</severity>
        <status>READY</status>
        <tag>onetag</tag>
        <tag>anothertag</tag>
    </rule>
</rules>

test-report.xml:

<?xml version="1.0" encoding="UTF-8"?><OWASPZAPReport generated="jeu., 7 mai 2015 16:14:12" version="2.4.0">
    <site host="localhost" name="http://localhost:8180" port="8180" ssl="false"><alerts><alertitem>
        <pluginid>0</pluginid>
        <alert>Existing test check</alert>
        <riskcode>1</riskcode>
        <confidence>2</confidence>
        <riskdesc>Low (Medium)</riskdesc>
        <desc>A fancy description
        </desc>
        <uri>http://localhost/foobar.txt</uri>
        <param/>
        <attack/>
        <otherinfo>More other info
        </otherinfo>
        <solution>Amazing Solution
        </solution>
        <otherinfo>Some other info
        </otherinfo>
        <reference>Test reference
        </reference>
        <cweid>933</cweid>
        <wascid>14</wascid>
    </alertitem><alertitem>
        <pluginid>1234567890</pluginid>
        <alert>Dynamic rule test check</alert>
        <riskcode>1</riskcode>
        <confidence>2</confidence>
        <riskdesc>Low (Medium)</riskdesc>
        <desc>A fancy description
        </desc>
        <uri>http://localhost/foobar.txt</uri>
        <param/>
        <attack/>
        <otherinfo>More other info
        </otherinfo>
        <solution>Amazing Solution
        </solution>
        <otherinfo>Some other info
        </otherinfo>
        <reference>Test reference
        </reference>
        <cweid>933</cweid>
        <wascid>14</wascid>
    </alertitem>
	</alerts></site></OWASPZAPReport>

When I run this analysis with SonarQube 6.6, I get this warning about the rule I am trying to create:

WARN: The rule ZAProxy:1234567890 doesn't exist.

I have no idea what this is about but hopefully you can help me out.

The command executed:
C:\Users\vangelier\Downloads\sonar-scanner-msbuild-4.0.2.892\sonar-scanner-3.0.3.778\bin\sonar-scanner.bat -e -Dsonar.host.url=http://localhost:9000 -Dsonar.dependencyCheck.severity.critical=7.0 -Dsonar.sourceEncoding=UTF-8 -Dsonar.sources=. -Dsonar.login=3863330d43ae262f582b2a6e062a583d15b31da7 "-Dsonar.exclusions=node_modules/, platforms/, plugins/**" -Dsonar.projectKey=ZAP_EXAMPLE_JOB -Dsonar.dependencyCheck.severity.major=4.0 -Dsonar.verbose=true -Dsonar.zaproxy.reportPath=reports/zapproxy_report.xml -Dsonar.projectName=ZAP_EXAMPLE_JOB "-Dsonar.projectBaseDir=C:\Program Files (x86)\Jenkins\workspace\ZAP_EXAMPLE_JOB"

And then the log from the point where it crashes:
09:48:03.971 DEBUG: 'reports/zapproxy_report.xml' generated metadata with charset 'UTF-8' 09:48:03.972 DEBUG: Count lines in C:/Program Files (x86)/Jenkins/workspace/ZAP_EXAMPLE_JOB/reports/zapproxy_report.xml 09:48:04.203 INFO: Sensor XML Sensor [xml] (done) | time=259ms 09:48:04.203 INFO: Sensor OWASP Zap-Check [zap] 09:48:04.204 INFO: Process ZAP report 09:48:04.239 INFO: Process ZAP report (done) | time=35ms 09:48:04.243 INFO: ------------------------------------------------------------------------ 09:48:04.243 INFO: EXECUTION FAILURE 09:48:04.243 INFO: ------------------------------------------------------------------------ 09:48:04.243 INFO: Total time: 3.871s 09:48:04.321 INFO: Final Memory: 47M/305M 09:48:04.321 INFO: ------------------------------------------------------------------------ 09:48:04.321 ERROR: Error during SonarQube Scanner execution java.lang.RuntimeException: Can not process ZAP report. Ensure the report are located within the project workspace and that sonar.sources is set to reflect these paths (or set sonar.sources=.) at org.sonar.zaproxy.ZapSensor.execute(ZapSensor.java:159) at org.sonar.scanner.sensor.SensorWrapper.analyse(SensorWrapper.java:53) at org.sonar.scanner.phases.SensorsExecutor.executeSensor(SensorsExecutor.java:88) at org.sonar.scanner.phases.SensorsExecutor.execute(SensorsExecutor.java:82) at org.sonar.scanner.phases.SensorsExecutor.execute(SensorsExecutor.java:68) at org.sonar.scanner.phases.AbstractPhaseExecutor.execute(AbstractPhaseExecutor.java:88) at org.sonar.scanner.scan.ModuleScanContainer.doAfterStart(ModuleScanContainer.java:180) at org.sonar.core.platform.ComponentContainer.startComponents(ComponentContainer.java:135) at org.sonar.core.platform.ComponentContainer.execute(ComponentContainer.java:121) at org.sonar.scanner.scan.ProjectScanContainer.scan(ProjectScanContainer.java:288) at org.sonar.scanner.scan.ProjectScanContainer.scanRecursively(ProjectScanContainer.java:283) at org.sonar.scanner.scan.ProjectScanContainer.doAfterStart(ProjectScanContainer.java:261) at org.sonar.core.platform.ComponentContainer.startComponents(ComponentContainer.java:135) at org.sonar.core.platform.ComponentContainer.execute(ComponentContainer.java:121) at org.sonar.scanner.task.ScanTask.execute(ScanTask.java:48) at org.sonar.scanner.task.TaskContainer.doAfterStart(TaskContainer.java:84) at org.sonar.core.platform.ComponentContainer.startComponents(ComponentContainer.java:135) at org.sonar.core.platform.ComponentContainer.execute(ComponentContainer.java:121) at org.sonar.scanner.bootstrap.GlobalContainer.executeTask(GlobalContainer.java:121) at org.sonar.batch.bootstrapper.Batch.doExecuteTask(Batch.java:116) at org.sonar.batch.bootstrapper.Batch.executeTask(Batch.java:111) at org.sonarsource.scanner.api.internal.batch.BatchIsolatedLauncher.execute(BatchIsolatedLauncher.java:63) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.sonarsource.scanner.api.internal.IsolatedLauncherProxy.invoke(IsolatedLauncherProxy.java:60) at com.sun.proxy.$Proxy0.execute(Unknown Source) at org.sonarsource.scanner.api.EmbeddedScanner.doExecute(EmbeddedScanner.java:233) at org.sonarsource.scanner.api.EmbeddedScanner.runAnalysis(EmbeddedScanner.java:151) at org.sonarsource.scanner.cli.Main.runAnalysis(Main.java:123) at org.sonarsource.scanner.cli.Main.execute(Main.java:77) at org.sonarsource.scanner.cli.Main.main(Main.java:61) Caused by: The rule 'ZAProxy:10094' does not exist.

I have debug enabled but I still do not have enough information to find were and why it crashes. I validated the output from the console and Jenkins is correct.

The report fails to be displayed if sonar.branch.name is defined.

Should have included "branch" option in

https://github.com/OtherDevOpsGene/zap-sonar-plugin/blob/main/src/main/js/report_page/components/ZapReportApp.js#L7

Ref:

https://sonarcloud.io/web_api/api/measures/component

As a developer,
I want to use the current version of the maven.gpg.plugin (currently 1.6) in the release process,
so that I can stay up to date with plugins while still being able to sign the releases.

Dear,

I have a problem, using the below scenario:

• Jenkins Master/Slave using docker (permanent tool)
• SonarQube running as docker (permanent tool)
• Owasp ZAP running as docker (Running only at the stage, uses the ZAP official image)
• Maven application with zap-sonar-plugin

OWASP ZAP Scan Step:
sh 'docker run --rm -v ${WORKSPACE}/zap/:/zap/wrk/:rw -t owasp/zap2docker-weekly zap-api-scan.py -t ${URL} -n ${JSON_FILE} -a -d -f openapi -x zaproxy-report.zap -r zaproxy-report.html -J zaproxy-report.json -I'

Archive Artifacts steps:
archiveArtifacts '${WORKSPACE}/zaproxy-report.zap' (or .xml)

SONAR SCAN Step:
sh 'docker run -v $(pwd):/usr/src/mymaven -w /usr/src/mymaven maven:3.3-jdk-8 mvn -s /usr/src/mymaven/settings.xml -DskipTests clean -f /usr/src/mymaven/$API-api/pom.xml package sonar:sonar -Dsonar.projectKey="${SONAR_NAME}-DAST" -Dsonar.projectName="${SONAR_NAME}-DAST" -Dsonar.zaproxy.reportPath="${WORKSPACE}/zaproxy-report.zap" -Dsonar.dependencyCheck.skip=true'

I have a first Quality Gate integrated with dependency-check at the same Pipeline, but this second don't find the report.I tried almost all possibilities of folders =/

I also tried with xml format in all steps, so i tried to set a custom extention because i saw it working in another pipeline, but in a older SonarQube version, and using Jenkins plugin, not a container running sonarqube with a newer version (which is my situation)

When i check the workspace (or set a sh 'ls -lah') the report is there.

Any idea, plz?

Hi,

The plugin do report a number of issues found, however no actual issues nor description are shown.

Regards

Code Climate has identified a number of opportunities for refactoring.

https://codeclimate.com/github/Coveros/zap-sonar-plugin

As a developer,
I want Travis CI to publish the new release to the Central Repository (aka Maven Central) when the pull request is merged to master and all checks pass,
so that we have a CD pipeline.

Hi

I am getting couple of warnings when the analysis is run by the sonarqube. The warning says that couple of rules are missing. Can you please check if these rules are not included as part of the ZAP plugin for sonarqube.

2018-06-19T08:05:30.3397646Z ##[error]10:05:30.329 WARN: The rule ZAProxy:10027 doesn't exist.
2018-06-19T08:05:30.3406626Z ##[debug]Processed: ##vso[task.logissue type=error;]10:05:30.329 WARN: The rule ZAProxy:10027 doesn't exist.
2018-06-19T08:05:30.3407480Z 10:05:30.329 WARN: The rule ZAProxy:10027 doesn't exist.
2018-06-19T08:05:30.3520743Z ##[error]10:05:30.350 WARN: The rule ZAProxy:40029 doesn't exist.
2018-06-19T08:05:30.3521301Z ##[debug]Processed: ##vso[task.logissue type=error;]10:05:30.350 WARN: The rule ZAProxy:40029 doesn't exist.

Thanks
Nikhil

I add this line sonar.zaproxy.htmlReportPath=D:/SonarQube_9.6/zap/zaproxy-htmlReport.html into SonarQube/conf/sonar.properties and also generate a report file from OWASP ZAP into the same directory path.

However, when I launch SonarQube and click at ZAP extension dropbox, this No HTML-Report found. Please check property sonar.zaproxy.htmlReportPath message occurs.

Is this a bug? How can I solve this issue to be able to generate ZAP report from SonarQube?

Please help.

The current rules defined in https://github.com/OtherDevOpsGene/zap-sonar-plugin/blob/main/src/main/resources/org/sonar/zaproxy/rules.xml do not include all from https://www.zaproxy.org/docs/alerts/ .

Need to include at least the rules used by
https://www.zaproxy.org/docs/docker/baseline-scan/ and
https://www.zaproxy.org/docs/docker/api-scan/

Below command will generate a rules list used for baseline scan
docker run -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-weekly zap-baseline.py -j -a -g baseline-scan.txt
-t TARGET_HOST (rules baseline-scan.txt

There was some error related to Javadoc and after fixing it, a jar file was created.

But SonarCube keeps restarting if we use this Jar

It would be handy and very nice to have a release on the release page that provided a binary (.jar) for download and installation. Especially useful for docker installations.

Cheers.
Paul

Vulnerabilities

DepShield reports that this application's usage of kind-of:4.0.0 results in the following vulnerability(s):

• (CVSS 5.3) CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Occurrences

kind-of:4.0.0 is a transitive dependency introduced by the following direct dependency(s):

• react-dev-utils:11.0.1
        └─ fork-ts-checker-webpack-plugin:4.1.6
              └─ micromatch:3.1.10
                    └─ snapdragon:0.8.2
                          └─ base:0.11.2
                                └─ cache-base:1.0.1
                                      └─ has-value:1.0.0
                                            └─ has-values:1.0.0
                                                  └─ kind-of:4.0.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

It seems that when creating an issue in sonar, the zap-sonar-plugin simply overrides the severity defined in the sonar rule with the one defined by zap.
This is what I gather from the code in ZapSensor.addIssue():

    context.newIssue()
        .forRule(RuleKey.of(ZapPlugin.REPOSITORY_KEY, String.valueOf(alert.getPluginid())))
        .at(new DefaultIssueLocation().on(context.module()).message(formatDescription(alert)))
        .overrideSeverity(severity)
        .save();

That's also the behaviour that I have observed.

However, it seems more convenient to allow the user to change the severity in sonar.
For example, different sonar projects could require different security levels.

As a developer,
I want to see the development norms, workflow, etc. on the wiki,
so that I know what is expected of me to contribute.

Coveros is willing to help or take over the maintenance of this plugin.

One of my team members and I have each written SonarQube plugins before. We are heavy SonarQube and OWASP ZAP users throughout the company. We use both tools in our day-to-day jobs, in our training courses, and often blog and speak about them at conferences.

Please let me know how you would like us to help.

CI Task

  - task: SonarQubePrepare@4
    inputs:
      SonarQube: 'SonarqubeDevTest-ErcanTest'
      scannerMode: 'MSBuild'
      projectKey: 'ErcanTest'
      projectName: 'ErcanTest'
      extraProperties: |
        sonar.zaproxy.reportPath=$(System.DefaultWorkingDirectory)/owaspzap/test-results.xml
        sonar.zaproxy.htmlReportPath=$(System.DefaultWorkingDirectory)/owaspzap/report.html

Error:
##[error]ERROR: Error during SonarScanner execution java.lang.UnsupportedOperationException: Can not add the same measure twice on [key=ErcanTest]: DefaultMeasure[component=[key=ErcanTest],metric=Metric[uuid=<null>,key=html_report,description=Report HTML,type=DATA,direction=0,domain=OWASP-ZAP,name=ZAP Report,qualitative=false,userManaged=false,enabled=true,worstValue=<null>,bestValue=<null>,optimizedBestValue=false,hidden=false,deleteHistoricalData=true,decimalScale=<null>],value=<html> <head> <META http-equiv="Content-Type" content="text/html; charset=UTF-8"> at org.sonar.scanner.sensor.AbstractSensorWrapper.analyse(AbstractSensorWrapper.java:48) at org.sonar.scanner.sensor.ModuleSensorsExecutor.execute(ModuleSensorsExecutor.java:85) at org.sonar.scanner.sensor.ModuleSensorsExecutor.lambda$execute$1(ModuleSensorsExecutor.java:59) at org.sonar.scanner.sensor.ModuleSensorsExecutor.withModuleStrategy(ModuleSensorsExecutor.java:77) at org.sonar.scanner.sensor.ModuleSensorsExecutor.execute(ModuleSensorsExecutor.java:59) at org.sonar.scanner.scan.ModuleScanContainer.doAfterStart(ModuleScanContainer.java:82) at org.sonar.core.platform.ComponentContainer.startComponents(ComponentContainer.java:137) at org.sonar.core.platform.ComponentContainer.execute(ComponentContainer.java:123) at org.sonar.scanner.scan.ProjectScanContainer.scan(ProjectScanContainer.java:393) at org.sonar.scanner.scan.ProjectScanContainer.scanRecursively(ProjectScanContainer.java:389) at org.sonar.scanner.scan.ProjectScanContainer.scanRecursively(ProjectScanContainer.java:386) at org.sonar.scanner.scan.ProjectScanContainer.doAfterStart(ProjectScanContainer.java:358) at org.sonar.core.platform.ComponentContainer.startComponents(ComponentContainer.java:137) at org.sonar.core.platform.ComponentContainer.execute(ComponentContainer.java:123) at org.sonar.scanner.bootstrap.GlobalContainer.doAfterStart(GlobalContainer.java:144) at org.sonar.core.platform.ComponentContainer.startComponents(ComponentContainer.java:137) at org.sonar.core.platform.ComponentContainer.execute(ComponentContainer.java:123) at org.sonar.batch.bootstrapper.Batch.doExecute(Batch.java:72) at org.sonar.batch.bootstrapper.Batch.execute(Batch.java:66) at org.sonarsource.scanner.api.internal.batch.BatchIsolatedLauncher.execute(BatchIsolatedLauncher.java:46) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:566) at org.sonarsource.scanner.api.internal.IsolatedLauncherProxy.invoke(IsolatedLauncherProxy.java:60) at com.sun.proxy.$Proxy0.execute(Unknown Source) at org.sonarsource.scanner.api.EmbeddedScanner.doExecute(EmbeddedScanner.java:189) at org.sonarsource.scanner.api.EmbeddedScanner.execute(EmbeddedScanner.java:138) at org.sonarsource.scanner.cli.Main.execute(Main.java:112) at org.sonarsource.scanner.cli.Main.execute(Main.java:75) at org.sonarsource.scanner.cli.Main.main(Main.java:61) ERROR: ##[error]The SonarScanner did not complete successfully The SonarScanner did not complete successfully ##[error]11:40:02.815 Post-processing failed. Exit code: 1 11:40:02.815 Post-processing failed. Exit code: 1 ##[error]The process '/usr/bin/dotnet' failed with exit code 1

We could use the JARs in releases...

ERROR: org/sonar/batch/bootstrapper/EnvironmentInformation has been compiled by a more recent version of the Java Runtime (class file version 55.0), this version of the Java Runtime only recognizes class file versions up to 52.0

Update the dependencies, parent, etc. to current

Vulnerabilities

DepShield reports that this application's usage of http-proxy:1.18.1 results in the following vulnerability(s):

• (CVSS 7.5) CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

Occurrences

http-proxy:1.18.1 is a transitive dependency introduced by the following direct dependency(s):

• webpack-dev-server:3.11.0
        └─ http-proxy-middleware:0.19.1
              └─ http-proxy:1.18.1

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

I've come to appreciate the simplicity of GitHub Flow and do not have a compelling reason to stay with Git Flow.

I run sonnar scan (previously tried with Jenkins ZAP Plugin, now with Sonnar Scan Command Line to be sure) and I can't see ZAP report (such as the More->OWASP Dependency Check in the case of that plugin).
Neither can see vulnerabilities in the project.
Versions:
sonar-zap-plugin-1.0.1.jar
Sonarqube Version 6.7.3 (build 38370
SonarQube Scanner 3.1.0.1141
sonnar.properties:

sonar.projectKey=jenkinsprueba
sonar.zaproxy.reportPath=reports/JENKINS_ZAP_VULNERABILITY_REPORT.xml
sonar.zaproxy.htmlReportPath=reports/JENKINS_ZAP_VULNERABILITY_REPORT.html
sonar.sources=reports
sonar.zaproxy.report.dir=reports

This is the console output:
C:\Users\dchavez\.jenkins\workspace\ZAPJenkins>sonar-scanner INFO: Scanner configuration file: C:\tools\sonar-scanner-3.1.0.1141-windows\bin\..\conf\sonar-scanner.properties INFO: Project root configuration file: C:\Users\dchavez\.jenkins\workspace\ZAPJenkins\sonar-project.properties INFO: SonarQube Scanner 3.1.0.1141 INFO: Java 1.8.0_121 Oracle Corporation (64-bit) INFO: Windows 10 10.0 amd64 INFO: User cache: C:\Users\dchavez\.sonar\cache INFO: SonarQube server 6.7.3 INFO: Default locale: "en_US", source code encoding: "windows-1252" (analysis is platform dependent) INFO: Publish mode INFO: Load global settings INFO: Load global settings (done) | time=85ms INFO: Server id: AWMXVidGOWZ1uA9DPlu0 INFO: User cache: C:\Users\dchavez\.sonar\cache INFO: Load plugins index INFO: Load plugins index (done) | time=62ms INFO: Download sonar-zap-plugin-1.0.1.jar INFO: Process project properties INFO: Load project repositories INFO: Load project repositories (done) | time=125ms INFO: Load quality profiles INFO: Load quality profiles (done) | time=48ms INFO: Load active rules INFO: Load active rules (done) | time=1259ms INFO: Load metrics repository INFO: Load metrics repository (done) | time=47ms WARN: SCM provider autodetection failed. No SCM provider claims to support this project. Please use sonar.scm.provider to define SCM of your project. INFO: Project key: jenkinsprueba INFO: ------------- Scan jenkinsprueba INFO: Base dir: C:\Users\dchavez\.jenkins\workspace\ZAPJenkins INFO: Working dir: C:\Users\dchavez\.jenkins\workspace\ZAPJenkins\.scannerwork INFO: Source paths: reports INFO: Source encoding: windows-1252, default locale: en_US INFO: Load server rules INFO: Load server rules (done) | time=525ms INFO: Index files INFO: 2 files indexed INFO: Quality profile for web: Sonar way INFO: Quality profile for xml: Sonar way INFO: Sensor OWASP Dependency-Check [dependencycheck] INFO: Process Dependency-Check report WARN: Dependency-Check report does not exist. SKIPPING. Please check property sonar.dependencyCheck.reportPath: ${WORKSPACE}/dependency-check-report.xml INFO: Process Dependency-Check report (done) | time=16ms WARN: Dependency-Check report does not exist. SKIPPING. Please check property sonar.dependencyCheck.reportPath: ${WORKSPACE}/dependency-check-report.html INFO: Sensor OWASP Dependency-Check [dependencycheck] (done) | time=16ms INFO: Sensor OWASP Zap-Check [zap] INFO: Process ZAP report INFO: Process ZAP report (done) | time=78ms INFO: Sensor OWASP Zap-Check [zap] (done) | time=93ms INFO: Sensor SonarJavaXmlFileSensor [java] INFO: 1 source files to be analyzed INFO: Sensor SonarJavaXmlFileSensor [java] (done) | time=100ms INFO: 1/1 source files have been analyzed INFO: Sensor Web [web] INFO: Sensor Web [web] (done) | time=612ms INFO: Sensor XML Sensor [xml] INFO: Sensor XML Sensor [xml] (done) | time=161ms INFO: Sensor Analyzer for "php.ini" files [php] INFO: Sensor Analyzer for "php.ini" files [php] (done) | time=4ms INFO: Sensor Zero Coverage Sensor INFO: Sensor Zero Coverage Sensor (done) | time=12ms INFO: Sensor CPD Block Indexer INFO: Sensor CPD Block Indexer (done) | time=0ms INFO: No SCM system was detected. You can use the 'sonar.scm.provider' property to explicitly specify it. INFO: Calculating CPD for 1 file INFO: CPD calculation finished INFO: Analysis report generated in 110ms, dir size=93 KB INFO: Analysis reports compressed in 31ms, zip size=27 KB INFO: Analysis report uploaded in 62ms INFO: ANALYSIS SUCCESSFUL, you can browse http://localhost:9000/dashboard/index/jenkinsprueba INFO: Note that you will be able to access the updated dashboard once the server has processed the submitted analysis report INFO: More about the report processing at http://localhost:9000/api/ce/task?id=AWNAjYxf9IwjzzrjNrMb INFO: Task total time: 5.924 s INFO: ------------------------------------------------------------------------ INFO: EXECUTION SUCCESS INFO: ------------------------------------------------------------------------ INFO: Total time: 8.957s INFO: Final Memory: 19M/372M INFO: ------------------------------------------------------------------------