I'm working on web application. I need to check security of dependencies.
I'm actually scanning my source code with OWASP dependency check but i think it's not the best tool to use on web app. I think npm audit or yarn audit is better tool to check dependencies security of this king of application.
With OWASP, i use OWASP SonarQube Project to integrate result into sonarQube Example of settings used :
sonar.dependencyCheck.reportPath=$(System.DefaultWorkingDirectory)/DependencyCheckResults/dependency-check-report.xml
sonar.dependencyCheck.htmlReportPath=$(System.DefaultWorkingDirectory)/DependencyCheckResults/dependency-check-report.html
In the same way, is there a way to use the npm audit (or yarn audit) report into SonarQube?
At the moment i generate report in json format, using this command:
npm audit --json
I also know that it's possible to generate HTML report from npm audit with https://github.com/eventOneHQ/npm-audit-html
So, it's just missing a SonarQube plugin to import it or something like that, but i can't find it.
currently, this does not seem to be possible. however, this npm rfc 0004 specifies a npm audit --owasp flag with solving this problem. this rfc was accepted, but is not yet implemented.
maybe it is worth a try to parse the output of npm audit --json with some sonarQube plugin, but I have no more knowledge about how to do this.
the npm rfc was withdrawn:
The npm cli team would be happy to land this change in case it comes from a community contribution, this withdrawn was based on the fact that this is not remotely closed to being in the roadmap of the current team.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With