use npm audit report in SonarQube

Question

I'm working on web application. I need to check security of dependencies.

I'm actually scanning my source code with OWASP dependency check but i think it's not the best tool to use on web app. I think npm audit or yarn audit is better tool to check dependencies security of this king of application.

With OWASP, i use OWASP SonarQube Project to integrate result into sonarQube Example of settings used :

sonar.dependencyCheck.reportPath=$(System.DefaultWorkingDirectory)/DependencyCheckResults/dependency-check-report.xml
sonar.dependencyCheck.htmlReportPath=$(System.DefaultWorkingDirectory)/DependencyCheckResults/dependency-check-report.html

In the same way, is there a way to use the npm audit (or yarn audit) report into SonarQube?

At the moment i generate report in json format, using this command:

npm audit --json

I also know that it's possible to generate HTML report from npm audit with https://github.com/eventOneHQ/npm-audit-html

So, it's just missing a SonarQube plugin to import it or something like that, but i can't find it.

Answer 1

currently, this does not seem to be possible. however, this npm rfc 0004 specifies a npm audit --owasp flag with solving this problem. this rfc was accepted, but is not yet implemented.

maybe it is worth a try to parse the output of npm audit --json with some sonarQube plugin, but I have no more knowledge about how to do this.

Edit 2021-08-09

the npm rfc was withdrawn:

The npm cli team would be happy to land this change in case it comes from a community contribution, this withdrawn was based on the fact that this is not remotely closed to being in the roadmap of the current team.