Skip to content

Add SonarQube SCA (Software Composition Analysis) API Import Support#14710

Open
mathiasconradt wants to merge 4 commits intoDefectDojo:devfrom
mathiasconradt:sonarqube-sca-api
Open

Add SonarQube SCA (Software Composition Analysis) API Import Support#14710
mathiasconradt wants to merge 4 commits intoDefectDojo:devfrom
mathiasconradt:sonarqube-sca-api

Conversation

@mathiasconradt
Copy link
Copy Markdown

@mathiasconradt mathiasconradt commented Apr 19, 2026

Summary

Adds SCA (Software Composition Analysis) support to DefectDojo's existing SonarQube API Import integration, enabling import of dependency vulnerabilities alongside existing SAST findings and security hotspots.

Changes

API Client (dojo/tools/api_sonarqube/api_client.py)

  • Added find_sca_risks() method to fetch SCA data from SonarQube /api/v2/sca/risk-reports endpoint

Importer (dojo/tools/api_sonarqube/importer.py)

  • Modified get_findings() to call import_sca() when enabled
  • Added import_sca() method to parse SCA risks into DefectDojo findings
  • Added convert_sca_severity() to map SonarQube BLOCKER → DefectDojo Critical
  • Enabled by default via SONARQUBE_API_PARSER_SCA setting (getattr with default True)

Field Mapping

  • riskTitletitle
  • vulnerabilityIdunsaved_vulnerability_ids
  • cvssScorecvssv3_score
  • cweIdscwe (first CWE)
  • packageUrlcomponent_name/component_version (parsed from PURL format)
  • dependencyChains → included in description
  • riskSeverityseverity (BLOCKER/CRITICAL → Critical, HIGH → High, etc.)
  • Only OPEN risks are imported (skips ACCEPT, SAFE, CONFIRM statuses)

Tests (unittests/tools/test_api_sonarqube_importer.py)

  • Added dummy_sca_risks() to load test data
  • Added TestSonarqubeImporterSCASupport: verifies correct count of OPEN risks imported
  • Added TestSonarqubeImporterValidateSCAData: validates field mapping, CVE extraction, PURL parsing
  • Test data: 49 SCA risks from SonarQube demo project (33 OPEN risks with HIGH/MEDIUM/LOW severities)

Test Plan

  • Code passes Ruff compliance check
  • Code passes SonarQube security scan
  • Unit tests added with comprehensive coverage
  • Rebased on latest upstream/dev
  • Tested with live SonarQube instance importing CVEs and license issues
  • CI tests pass (will be verified automatically)

Follow-on Work

None required - feature is complete and follows existing patterns for hotspots import.

Related Issues

Implements SCA support as discussed in community requests for dependency vulnerability tracking from SonarQube.

🤖 Generated with Claude Code

mathiasconradt and others added 2 commits April 19, 2026 21:24
@mathiasconradt @claude
Add SCA support to SonarQube API Import
43774af 
Adds Software Composition Analysis (SCA) dependency risk import to the
SonarQube API integration.

Changes:
- Add find_sca_risks() method to api_client.py for /api/v2/sca/risk-reports endpoint
- Add import_sca() method to importer.py to parse SCA risks into DefectDojo findings
- Add convert_sca_severity() to map SonarQube severity (BLOCKER/CRITICAL/HIGH/MEDIUM/LOW) to DefectDojo
- Enable by default via SONARQUBE_API_PARSER_SCA setting (defaults to True)

Fields mapped:
- riskTitle → title
- vulnerabilityId → unsaved_vulnerability_ids (CVE/GHSA)
- cvssScore → cvssv3_score
- cweIds → cwe (first CWE)
- packageUrl → component_name/component_version (parsed from PURL)
- dependencyChains → included in description
- riskSeverity → severity (BLOCKER mapped to Critical)

Tested with SonarQube SCA API response. Security validated with SonarQube analysis.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@mathiasconradt @claude
Add unit tests for SonarQube SCA API import
fbbdddd 
Added comprehensive test coverage for the new SCA import functionality:

- Added dummy_sca_risks() to load test data from sca_risks.json
- TestSonarqubeImporterSCASupport: verifies only OPEN risks imported (33 findings)
- TestSonarqubeImporterValidateSCAData: validates field mapping
  * CVE/vulnerability ID extraction
  * CVSS score mapping
  * CWE ID extraction
  * Component name/version parsing from PURL
  * Severity conversion
  * Description formatting

Test data includes 49 SCA risks from SonarQube demo project with HIGH
severity vulnerabilities and various license issues.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
mathiasconradt and others added 2 commits April 19, 2026 22:01
@mathiasconradt @claude
Add pagination support for SonarQube SCA API
78a5b74 
Updated find_sca_risks() to paginate through results:
- Added pageIndex and pageSize parameters (500 per page, max 100 pages)
- Handles both paginated response (issuesReleases wrapper) and flat array
- Follows same pattern as find_issues() and find_hotspots()

Updated test mock to wrap test data in paginated response structure
to match expected API format.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@mathiasconradt @claude
Fix Ruff linting errors
09e0a90 
- Remove unnecessary else after break (RET508)
- Add trailing commas (COM812)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Maffooch Maffooch Awaiting requested review from Maffooch Maffooch is a code owner

@mtesauro mtesauro Awaiting requested review from mtesauro mtesauro is a code owner

At least 4 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

parser unittests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mathiasconradt