Add OWASP Dependency-Check integration for SonarQube

- Add sonar.dependencyCheck.jsonReportPath and htmlReportPath to sonar-project.properties - Add Dependency-Check action scanning composer.lock and package.json - Generate JSON and HTML reports for SonarQube analysis - Add to ci.yml sonarqube job and sonarqube.yml workflow Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-19 14:41:25 +01:00
parent 7474ada434
commit 7cce3a2999
3 changed files with 33 additions and 0 deletions
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -204,6 +204,24 @@ jobs:
          ./hadolint docker/php/dev/Dockerfile -f json > hadolint-dev.json || true
          ./hadolint docker/php/prod/Dockerfile -f json > hadolint-prod.json || true

+      - name: OWASP Dependency-Check
+        uses: dependency-check/Dependency-Check_Action@main
+        with:
+          project: 'e-ticket'
+          path: '.'
+          format: 'JSON,HTML'
+          args: >
+            --scan composer.lock
+            --scan package.json
+            --out .
+            --disableAssembly
+        continue-on-error: true
+
+      - name: Rename Dependency-Check reports
+        run: |
+          mv dependency-check-report.json dependency-check-report.json 2>/dev/null || true
+          mv dependency-check-report.html dependency-check-report.html 2>/dev/null || true
+
      - name: SonarQube Scan
        uses: sonarsource/sonarqube-scan-action@v5
        env:
--- a/.gitea/workflows/sonarqube.yml
+++ b/.gitea/workflows/sonarqube.yml
@@ -92,6 +92,19 @@ jobs:
          ./hadolint docker/php/dev/Dockerfile -f json > hadolint-dev.json || true
          ./hadolint docker/php/prod/Dockerfile -f json > hadolint-prod.json || true

+      - name: OWASP Dependency-Check
+        uses: dependency-check/Dependency-Check_Action@main
+        with:
+          project: 'e-ticket'
+          path: '.'
+          format: 'JSON,HTML'
+          args: >
+            --scan composer.lock
+            --scan package.json
+            --out .
+            --disableAssembly
+        continue-on-error: true
+
      - name: SonarQube Scan
        uses: sonarsource/sonarqube-scan-action@v5
        with:
--- a/sonar-project.properties
+++ b/sonar-project.properties
@@ -11,3 +11,5 @@ sonar.test.inclusions=tests/**/*.php,tests/js/**/*.test.js
 sonar.javascript.lcov.reportPaths=coverage/lcov.info
 sonar.eslint.reportPaths=eslint-report.json
 sonar.docker.hadolint.reportPaths=hadolint-dev.json,hadolint-prod.json
+sonar.dependencyCheck.jsonReportPath=dependency-check-report.json
+sonar.dependencyCheck.htmlReportPath=dependency-check-report.html