Reputation: 1369
SonarQube - JS Dependencies Security Vulnerability Scanning
I have a large project which includes a front end portion downloading dependencies through NPM/Yarn and was looking for security vulnerability scanning for these third party dependencies defined in package.json.
I am already aware of options such as Snyk, retireJS, NSP (now acquired by NPM) and the like, however was wondering whether there is a decent plugin which I can use to add to SonarQube. The idea would be to scan the list of dependencies, check it with a CVE database and generate an HTML report with the vulnerabilities identifying the level of risk for each one of them.
Thanks
Upvotes: 4
Views: 3238
Answers (1)
Reputation: 3469
How about using OWASP Dependency Check and integrate the report into SonarQube using this plugin?
It would be using the info from NSP and RetireJS to do the scan.
Upvotes: 1
Related Questions
- How to setup SonarQube scanner in jenkins for a js/ts/react project
- Error while to integrating Jenkins and Sonarqube for analysing my Angular project
- Sonar warnings due to unresolvable dependencies
- SonarQube Scanner for Maven and SonarTsPlugin Cannot Run node
- Sonarqube Source error in jenkins build
- SonarQube and Jenkins, issue with integration
- SonarQube + Jenkins Error 500
- Jenkins sonarqube plugin unable to analyse file
- SonarQube plugin install for Jenkins
- SonarQube Unit Tests from Jenkins not showing