1.首先配置maven的setting文件。
<profile>
<id>sonar</id>
<activation>
<activeByDefault>true</activeByDefault>
</activation>
<properties>
<sonar.jdbc.url>jdbc:postgresql://localhost/sonar</sonar.jdbc.url>
<sonar.jdbc.driver>org.postgresql.Driver</sonar.jdbc.driver>
<sonar.jdbc.username>user</sonar.jdbc.username>
<sonar.jdbc.password>password</sonar.jdbc.password>
<!-- SERVER ON A REMOTE HOST -->
<sonar.host.url>http://localhost:9000</sonar.host.url>
</properties>
</profile>
2.在自己项目中的pom.xml中加入对应的dependency和plugin。
pom.xml文件
<dependency>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>6.1.5</version>
</dependency>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>6.1.5</version>
<executions>
<execution>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
<configuration> <!-- Generate all report formats --> <format>ALL</format>
<!-- Don't use Nexus Analyzer --> <centralAnalyzerEnabled>false</centralAnalyzerEnabled> <!-- Am I the latest version? --> <versionCheckEnabled>true</versionCheckEnabled> </configuration>
</plugin>
3.在命令行中执行 mvn clean compile dependency-check:check,即可。
4.在sonarqube中安装dependency-check插件
dependency-check插件下载地址:dependency-check
下载使用以下命令生成jar包
> $ mvn clean package
将插件放入sonarqube的插件目录$SONAR_INSTALL_DIR/extensions/plugins,并且重启sonarqube
5.执行以下命令将dependency-check报告上传到sonarqube
mvn sonar:sonar -Dsonar.dependencyCheck.jsonReportPath=target/dependency-check-report.json -Dsonar.dependencyCheck.xmlReportPath=target/dependency-check-report.xml -Dsonar.dependencyCheck.htmlReportPath=target/dependency-check-report.html
注:sonar-maven-plugin的版本需要在3.6以上。
<plugin>
<groupId>org.sonarsource.scanner.maven</groupId>
<artifactId>sonar-maven-plugin</artifactId>
<version>3.6.0.1398</version>
</plugin>
6.在sonarqube中查看dependency-check报告。
在sonarqube控制台找到对应的项目,然后点击更多,点击Dependency-Check即可看到报告。