我在将依赖关系检查器输出从构建代理发送到SonarQube服务器时遇到问题。我不确定这是我与Dependency Checker或服务器/客户端上的SonarQube设置一起使用的命令。我将扫描输出报告为.cs,.js,.css等的SonarQube,但是在依赖项检查器小部件中看不到依赖项扫描的输出。但是,如果我检查特定构建的工作文件夹,则从owasp依赖项检查器创建的三个文件尚未被选择。
进行扫描之前我准备做的事情:
我用来通过.Net Core安装dotnet-sonarscanner的命令:
dotnet tool install --global dotnet-sonarscanner
OWASPdependency-check-cli命令(从构建代理上的checkoutDir的根目录运行:
dependency-check.bat --project "%system.teamcity.projectName%" --scan . -f ALL --log D:\DependencyLogs\verbose.log
为了使RetireJs功能正常工作,我不得不调试日志并直接下载无法直接检索的json文件。我想我还需要使用java参数(/ d:)
为https的代理添加替代项声纳扫描仪开始命令:
dotnet sonarscanner begin /k:%ProjectKey% /n:"%ProjectName%" /d:sonar.login=%SonarQube.UserToken% /d:sonar.host.url=%SonarQube.Host.Url%"
如果我添加参数/d:sonar.dependencyCheck.xmlReportPath=%system.teamcity.checkoutDir%/dependency-check-report.xml,则解析为checkoutdir,并在其后面添加了/ src / -check-report.xml
Sonar Scanner结束命令:
dotnet sonarscanner /d:sonar.login=%SonarQube.UserToken% end
如果添加
%system.teamcity.build.workingDir%/dependency-check-report.html
到sonarqube的插件属性中的html,xml或json字段:
[23:19:08] [Step 1/1] INFO: Dependency-Check JSON report does not exists. Please check property sonar.dependencyCheck.jsonReportPath:D:\TeamCityBuildAgent\work\a7450333ae6fcf0c\%system.teamcity.build.workingDir%\dependency-check-report.json
[23:19:08] [Step 1/1] INFO: JSON-Analysis skipped/aborted due to missing report file
[23:19:08] [Step 1/1] INFO: Using XML-Reportparser
[23:19:08] [Step 1/1] INFO: Dependency-Check XML report does not exists. Please check property sonar.dependencyCheck.xmlReportPath:D:\TeamCityBuildAgent\work\a7450333ae6fcf0c\%system.teamcity.build.workingDir%\dependency-check-report.xml
[23:19:08] [Step 1/1] INFO: XML-Analysis skipped/aborted due to missing report file
[23:19:08] [Step 1/1] INFO: Dependency-Check HTML report does not exists. Please check property sonar.dependencyCheck.htmlReportPath:D:\TeamCityBuildAgent\work\a7450333ae6fcf0c\%system.teamcity.build.workingDir%\dependency-check-report.html
[23:19:08] [Step 1/1] INFO: HTML-Dependency-Check report does not exist.
如果我删除了工作目录,那么在sonarqube中看起来像这样:
dependency-check-report.html
输出看起来像这样:
[23:26:38] [Step 1/1] INFO: Sensor Dependency-Check [dependencycheck]
[23:26:38] [Step 1/1] INFO: Process Dependency-Check report
[23:26:38] [Step 1/1] INFO: Using JSON-Reportparser
[23:26:39] [Step 1/1] WARN: JSON-Analysis aborted
[23:26:39] [Step 1/1] INFO: Using XML-Reportparser
[23:26:39] [Step 1/1] INFO: We doesn't found any Project configuration file e.g. pom.xml, gradle.build, build.gradle.kts, package-lock.json and can not link dependencies
[23:26:39] [Step 1/1] INFO: Linking 662 dependencies to project
[23:26:39] [Step 1/1] INFO: Upload Dependency-Check HTML-Report
[23:26:39] [Step 1/1] INFO: Process Dependency-Check report (done) | time=959ms
[23:26:39] [Step 1/1] INFO: Sensor Dependency-Check [dependencycheck] (done) | time=960ms
所以应该可以。 Dependency-Check HTML已完成并上传,但是当我查看SonarQube中报告的依赖项时,该视图为空。我在想什么..]
输出在那里: