Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sonar format reports deprecated fields #1206

Open
CameronGo opened this issue Sep 3, 2024 · 2 comments
Open

Sonar format reports deprecated fields #1206

CameronGo opened this issue Sep 3, 2024 · 2 comments

Comments

@CameronGo
Copy link

Summary

When Sonarqube ingests the gosec output file, generated sonarqube format, a warning is displayed indicating that the file has deprecated fields which will not be supported in the future.

Steps to reproduce the behavior

Run gosec on the project with these parameters:
gosec -fmt=sonarqube -out=.testreports/gosec-report.json ./... ;

Then run sonar scanner CLI with the following parameter in the config file:
sonar.externalIssuesReportPaths=.testreports/gosec-report.json

gosec version

Using the docker container, which reports the following:

Version: dev
Git tag:
Build date: 2024-05-14

Go version (output of 'go version')

v1.23.0

Operating system / Environment

Linux

Expected behavior

Analysis of gosec report to complete without errors or warnings.

Actual behavior

The following warning is displayed:

WARN: External issues were imported with a deprecated format which will be removed soon. Please switch to the newest format to fully benefit from Clean Code: https://docs.sonarsource.com/sonarcloud/enriching/generic-issue-data/

@mmorel-35
Copy link
Contributor

Shall this be an evolution of the actual sonarqube output format they are very close but some fields are moved or shall there be a sonarqube-external-issues format ?

@CameronGo
Copy link
Author

CameronGo commented Sep 20, 2024

I sought clarification on the changes in the file spec from Sonar and got some additional info. Here’s an example of an issue in the deprecated format of the report:

{
    "issues": [
        {
            "engineId": "gosec",
            "ruleId": "G101",
            "primaryLocation": {
                "message": "Potential hardcoded credentials",
                "filePath": "/home/stevanvanderwerf/code/learn-go-with-tests/arrays/v1/sum.go",
                "textRange": {
                    "startLine": 2,
                    "endLine": 2
                }
            },
            "type": "VULNERABILITY",
            "severity": "BLOCKER",
            "effortMinutes": 5
        }
    ]
}

The current format would look like this:

{
    "rules": [
        {
            "id": "G101",
            "name": "G101",
            "engineId": "gosec",
            "cleanCodeAttribute": "TRUSTWORTHY",
            "impacts": [
                {
                    "softwareQuality": "SECURITY",
                    "severity": "HIGH"
                }
            ]
        }
    ],
    "issues": [
        {
            "ruleId": "G101",
            "effortMinutes": 5,
            "primaryLocation": {
                "message": "Potential hardcoded credentials",
                "filePath": "/home/stevanvanderwerf/code/learn-go-with-tests/arrays/v1/sum.go",
                "textRange": {
                    "startLine": 2,
                    "endLine": 2
                }
            }
        }
    ]
}

In the new format you can see that I’ve selected SECURITY as the SoftwareQuality impact. For reference: https://docs.sonarsource.com/sonarcloud/enriching/generic-issue-data/

Additionally, to see the differences between the deprecated format and current format of the Generic Issue Reports, you can also reference them in SonarQube:
https://docs.sonarsource.com/sonarqube/9.9/analyzing-source-code/importing-external-issues/generic-issue-import-format/

https://docs.sonarsource.com/sonarqube/latest/analyzing-source-code/importing-external-issues/generic-issue-import-format/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants