Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a Tag:Trivy to the reports. #8

Open
felipewnp opened this issue Dec 20, 2024 · 3 comments
Open

Add a Tag:Trivy to the reports. #8

felipewnp opened this issue Dec 20, 2024 · 3 comments
Assignees
@umax

Comments

@felipewnp
Copy link

From what I've tried so far, filtering issues imported from Trivy in SonarQube is not possible.

A very simple solution (IMO at least), would be to add a tag "Trivy" to the issues created by the plugin.

Is it possible?
@umax umax self-assigned this Jan 22, 2025
@atanev
Copy link

atanev commented Jan 22, 2025
edited
Loading

From what I can see there is no tag as part of the report structure described here

type is not currently used with the most logical value being VULNERABILITY, I can try adding it if it will make the filtering UX better.

@felipewnp
Copy link
Author

I think it's worth the shot, if you don't mind of course!

@atanev
Copy link

atanev commented Jan 28, 2025

I did spent some time playing with this and here is what I found:
it is impacts vs type and severity
impacts is responsible for MQR (Multi-Quality Rule) Mode which is the new way how SQ wants to push from what I see
severity and type is for the "Standard Experience"

Image

impacts vs type and severity are essentially responsible for the same thing but under the different "views"

The moment I add type to the report, severity becomes mandatory as well, And from the link above you can observe they have changed the severity levels between the 2 modes, which will require to maintain two separate mappings between trivy and std mode and trivy and MQR mode, which isn't ideal to say the least.

Image

Other than this maintenance burden it isn't easier to navigate because I was still left with the same filtering options
in MQR mode:
Software quality: Security, Reliability, Maintainability
Severity: the respective levels
in STD mode:
Type: Bug, Vulnerability, Code smells
Severity: the respective levels

What is different in the MQR is that there is an extra filter "Clean code Attribute" which corresponds to the following:
https://docs.sonarsource.com/sonarqube-server/10.8/core-concepts/clean-code/definition/

Currently in the plugin it is hardcoded on "LOGICAL", however in the filter I'm presented with only the major categories (4 options): Consistency, Intentionality, Adaptability and Responsibility
The issues from the report (LOGICAL) are part of "Intentionality" so all of them end up there.

After all this I don't see a way to make filtering more "discoverable" so all issues from a single "engineId" can be viewed easier.

I`m open to explore other options if there are any suggestions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@umax umax

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@umax @atanev @felipewnp