Expected Behavior
I'd like to have a Sonarqube report format that is not at a deprecated format
Actual Behavior
When importing Kics report into a Sonarqube server that is a version >9 (e.g 2025.5.0) we obtain the following warning :
WARN External issues were imported with a deprecated format which will be removed soon. Please switch to the newest format to fully benefit from Clean Code: https://docs.sonarsource.com/sonarqube-community-build/analyzing-source-code/importing-external-issues/generic-issue-import-format
Steps to Reproduce the Problem
- Create a sample
main.tf file with some vulnerabilites (you don't even need for this file to run on your computer). This sample is directly extracted from the azure documentation
provider "azurerm" {
features {
key_vault {
purge_soft_deleted_secrets_on_destroy = true
recover_soft_deleted_secrets = true
}
}
}
data "azurerm_client_config" "current" {}
resource "azurerm_resource_group" "example" {
name = "example-resources"
location = "West Europe"
}
resource "azurerm_key_vault" "example" {
name = "examplekeyvault"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "premium"
soft_delete_retention_days = 7
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
"Create",
"Get",
]
secret_permissions = [
"Set",
"Get",
"Delete",
"Purge",
"Recover"
]
}
}
resource "azurerm_key_vault_secret" "example" {
name = "secret-sauce"
value = "szechuan"
key_vault_id = azurerm_key_vault.example.id
}
- Run kics analysis on your code :
docker run -t -v $PWD:/path -w /path checkmarx/kics scan -p /path --report-formats "sonarqube" -o /path. This command should create a non empty file sonarqube-results.json
- Create a sonar-project.properties next to your project like
sonar.projectKey=test_kics_sq # This will depend on your projet key in SQ
sonar.externalIssuesReportPaths=sonarqube-results.json
- Run a sonarqube analysis
docker run --rm -e SONAR_HOST_URL="<your_sq_url>" -e SONAR_TOKEN="<your_token>" -w /usr/src -v "$PWD:/usr/src" sonarsource/sonar-scanner-cli
Then your should see, in the logs, the warning mentioned earlier.
Specifications
(N/A if not applicable)
- Version: N/A
- Platform: N/A
- Subsystem: N/A
Expected Behavior
I'd like to have a Sonarqube report format that is not at a deprecated format
Actual Behavior
When importing Kics report into a Sonarqube server that is a version >9 (e.g 2025.5.0) we obtain the following warning :
WARN External issues were imported with a deprecated format which will be removed soon. Please switch to the newest format to fully benefit from Clean Code: https://docs.sonarsource.com/sonarqube-community-build/analyzing-source-code/importing-external-issues/generic-issue-import-formatSteps to Reproduce the Problem
main.tffile with some vulnerabilites (you don't even need for this file to run on your computer). This sample is directly extracted from the azure documentationdocker run -t -v $PWD:/path -w /path checkmarx/kics scan -p /path --report-formats "sonarqube" -o /path. This command should create a non empty file sonarqube-results.jsondocker run --rm -e SONAR_HOST_URL="<your_sq_url>" -e SONAR_TOKEN="<your_token>" -w /usr/src -v "$PWD:/usr/src" sonarsource/sonar-scanner-cliThen your should see, in the logs, the warning mentioned earlier.
Specifications
(N/A if not applicable)