Skip to content

Bug wrong path issue dependency check in SonarQube #1054

New issue
New issue
Open
Open
Bug wrong path issue dependency check in SonarQube#1054
Labels
buglifecycle/frozenIndicates that an issue or PR should not be auto-closed due to staleness.
@Eiken0tt

Description

@Eiken0tt
Eiken0tt
opened on May 28, 2025

Describe the bug
I scan a project that has two package-lock.json. One is located at the frontend/package-lock.json path and one is located at the backend/package-lock.json path.
The package-lock.json with vulnerabilities is the frontend/package-lock.json but if I look at the report from the project's sonarqube issues dashboard the report is assigned to package-lock.json located at backend/package-lock.json.

To Reproduce
Run a dependency-check. Run the Sonarscanner scan and push the reports ( i push the reports in format .html, .xml and .json). Then check the path from the report in html and the path from the Sonarqube issues dashboard.

Current behavior
In the Sonarqube issues section the issues are associated to the backend/package-lock.json but the issues are in the frontend/package-lock.json

Expected behavior
In the Sonarqube issues section the issues must be associated correctly.

Screenshots

  • Part of json report file which shows where the vulnerable library was detected:
{
            "evidenceCollected": {
                "productEvidence": [
                    {
                        "confidence": "HIGHEST",
                        "name": "name",
                        "source": "package.json",
                        "type": "product",
                        "value": "store2"
                    }
                ],
                "vendorEvidence": [
                    {
                        "confidence": "HIGH",
                        "name": "name",
                        "source": "package.json",
                        "type": "vendor",
                        "value": "store2"
                    }
                ],
                "versionEvidence": [
                    {
                        "confidence": "HIGHEST",
                        "name": "version",
                        "source": "package.json",
                        "type": "version",
                        "value": "2.14.2"
                    }
                ]
            },
            "fileName": "store2:2.14.2",
            "filePath": "/code/source/frontend/package-lock.json?store2",
            "isVirtual": true,
            "packages": [
                {
                    "confidence": "HIGHEST",
                    "id": "pkg:npm/[email protected]",
                    "url": "https://ossindex.sonatype.org/component/pkg:npm/[email protected]?utm_source=dependency-check&utm_medium=integration&utm_content=12.1.0"
                }
            ],
.      .       .
.      .       .
.      .       .
  • Screeenshot html report

Image

  • Path mismatch

Image

  • Some other libraries with mismatch paths

Image

Versions (please complete the following information):

  • Dependency-Check Core version 12.1.0
  • Sonarqube Community Edition v25.5.0.107428
  • dependency-check-sonar-plugin 5.0.0

Additional context

I already opened an issue in the sonarqube issues manager (community.sonarsource.com). They replied me to open the issue here.

Metadata

Metadata

Assignees

No one assigned

    Labels

    buglifecycle/frozenIndicates that an issue or PR should not be auto-closed due to staleness.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions