We are considering using Anchore for our vulnerability scanning (it appears to be able to scan packages in the container so it might be an alternative to OWASP).
Of course we’d end up missing the cool integration between OWASP reports and SonarQube.
Are there any integrations that exist with Anachore? If not and someone was really motivated, how would they go about creating one?
I’m not aware of any existing integration.
Presumably Anchore generates reports that list issues and corresponding code locations? If so, you can either translate them to the Generic Issues format or write a plugin allow you to
- manage Anchore rules in your Quality Profile
- import reports in their native format
As a model for that, there’s probably an analogous OSS plugin in the Markeplace you could look at.
Is there documentation and examples for writing a plugin?
There is some documentation. This is a good place to start.
For examples, many of the language analyzers are OSS, and all the community plugins in the marketplace are OSS. Just pick the ones that do something like what you want to achieve and go from there.
Feel free to come back here when you have specific development questions & open new threads in the Plugin Development category.
Hey thanks, that helps. I think I’d be interested in a good (simple) example of a plugin that is used to support a new file format for importing issues. Maybe you can point me to one of those?
The Dependency-Check plugin is likely a good example to work from.