1.首先配置maven的setting文件。
<profile>
<id>sonar</id>
<activation>
<activeByDefault>true</activeByDefault>
</activation>
<properties>
<sonar.jdbc.url>jdbc:postgresql://localhost/sonar</sonar.jdbc.url>
<sonar.jdbc.driver>org.postgresql.Driver</sonar.jdbc.driver>
<sonar.jdbc.username>user</sonar.jdbc.username>
<sonar.jdbc.password>password</sonar.jdbc.password>
<!-- SERVER ON A REMOTE HOST -->
<sonar.host.url>http://localhost:9000</sonar.host.url>
</properties>
</profile>
2.在自己項目中的pom.xml中加入對應的dependency和plugin。
pom.xml文件
<dependency>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>6.1.5</version>
</dependency>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>6.1.5</version>
<executions>
<execution>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
<configuration> <!-- Generate all report formats --> <format>ALL</format>
<!-- Don't use Nexus Analyzer --> <centralAnalyzerEnabled>false</centralAnalyzerEnabled> <!-- Am I the latest version? --> <versionCheckEnabled>true</versionCheckEnabled> </configuration>
</plugin>
3.在命令行中執行 mvn clean compile dependency-check:check,即可。
4.在sonarqube中安裝dependency-check插件
dependency-check插件下載地址:dependency-check
下載使用以下命令生成jar包
> $ mvn clean package
將插件放入sonarqube的插件目錄$SONAR_INSTALL_DIR/extensions/plugins,並且重啟sonarqube
5.執行以下命令將dependency-check報告上傳到sonarqube
mvn sonar:sonar -Dsonar.dependencyCheck.jsonReportPath=target/dependency-check-report.json -Dsonar.dependencyCheck.xmlReportPath=target/dependency-check-report.xml -Dsonar.dependencyCheck.htmlReportPath=target/dependency-check-report.html
注:sonar-maven-plugin的版本需要在3.6以上。
<plugin>
<groupId>org.sonarsource.scanner.maven</groupId>
<artifactId>sonar-maven-plugin</artifactId>
<version>3.6.0.1398</version>
</plugin>
6.在sonarqube中查看dependency-check報告。
在sonarqube控制台找到對應的項目,然后點擊更多,點擊Dependency-Check即可看到報告。