No HTML-Report found. Please check property sonar.dependencyCheck.htmlReportPath error in Sonarqube UI when using dependency-check plugin

[Krishpluto]

Describe the bug
In Gitlab, we are currently working on integrating our project with SonarQube. Our gitlab project has been set up and integrated with the Sonarqube community edition. However, when the dependency check is run from the yaml file, the Dependency check plugin does not display the report in Sonarqube. Instead, it shows the message "No HTML-Report found. Please check property sonar.dependencyCheck.htmlReportPath," despite the correct path being set up in our script files. We are seeking guidance on how to correctly set up the integration, in case it was done incorrectly, as we haven't found suitable setup examples. We would appreciate advice on how to proceed.

Current behavior
Error is showing in the place of dependency report "No HTML-Report found. Please check property sonar.dependencyCheck.htmlReportPath"

Expected behavior
Dependency report should display in the SonarQube

Screenshots

Versions (please complete the following information):

• sonarqube - 10.6
• dependency-check-sonar-plugin - 5.0.0

Additional context
Please find the Sonar related part in Gitlab yml file below:

sonarqube:
  # allow_failure: true
  variables:
    SONAR_USER_HOME:
      value: "${CI_PROJECT_DIR}/.sonar"
  rules:
    - if: $CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_BRANCH == $CI_COMMIT_REF_NAME

sonarqube-vulnerability-report-merge-requests:
  stage: test-report
  image:
    name: node:lts
  before_script:
    - npm install -g sonar-report
  script:
    - sonar-report
      --sonarurl $SONAR_HOST_URL
      --sonartoken $SONAR_TOKEN
      --project="Sonar Report"
      --application $SONAR_PROJECT_KEY
      --release $CI_COMMIT_SHA
      --pullrequest $CI_MERGE_REQUEST_ID
      --sonarcomponent $SONAR_PROJECT_KEY
      --allbugs
      --no-security-hotspot
      --output="sonar-report_sonar-report.html"
  artifacts:
    name: "sonar-report"
    paths:
      - sonar-report_sonar-report.html
    expire_in: 1 Day
    expose_as: "Vulnerability Report"
  allow_failure: true
  rules:
    - if: $CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_BRANCH == $CI_COMMIT_REF_NAME

sonar-projects.properties file:

sonar.projectKey=*****
sonar.projectName=*****
sonar.verbose=false
sonar.host.url=******
sonar.links.homepage=******
sonar.links.scm=*******
sonar.links.ci=******

sonar.dependencyCheck.htmlReportPath=sonar-report_sonar-report.html
sonar.dependencyCheck.jsonReportPath=sonar-report_sonar-report.json
sonar.dependencyCheck.severity.blocker=6.0
sonar.dependencyCheck.severity.critical=4.0
sonar.dependencyCheck.severity.major=2.0
sonar.dependencyCheck.severity.minor=0.0

sonar.dependencyCheck.securityHotspot=true

sonar.shellcheck.reportPath=shellcheck-report.json
sonar.python.version=3.10
sonar.python.coverage.reportPaths=coverage.xml

sonar.dockerfile.dockerfilePaths=Dockerfile

sonar.qualitygate.wait=true
sonar.qualitygate.timeout=300

[Reamer]

The path is usually set incorrectly. Take a look at the debug log output of the SonarQube agent/plugin.

[Gh0stR0ck]

The path is usually set incorrectly. Take a look at the debug log output of the SonarQube agent/plugin.

I'm having the same problem. I have that normal ${WORKSPACE}/dependency-check-report.json as path. I also cannot find the plugin map in de agent directory.

[mbialas]

I would have assumed this plugin would generate a report, so i'm confused by these errors:

Dependency-Check JSON report does not exists. Please check property sonar.dependencyCheck.jsonReportPath:/Users/myuser/projects/test-repo/dependency-check-report.json

Dependency-Check HTML report does not exists. Please check property sonar.dependencyCheck.htmlReportPath:/Users/myuser/projects/test-repo/dependency-check-report.html

I can create those files in my project:
touch dependency-check-report.json
touch dependency-check-report.html

And that stops the errors, but there are still no file contents -- they remain blank after it runs.

[Reamer]

Please read the Readme.md

This SonarQube plugin does not perform analysis, rather, it reads existing Dependency-Check reports.