Associating issues with OWASP, SANS, and CWEs via the API

I am using the current version of Community SonarQube (7.7) with no plugins and am extending the functionality of the web application to give me information about the OWASP/SANS/CWE issues raised during the scanning of my projects.

However, there is no direct association between project issues and the standard issue base (I tested against CWEs in particular) that they might correspond to, at least as reported by the JSON serialization given to my ComponentContainer. For example, an issue returned in the response might have rule "javascript:NonEmptyCaseWithoutBreak" but won’t have any direct reference to cwe-484.

Is there a way to get this information?

Thanks!

It seems like even though this information is included in the plugin rules, it’s inaccessible via the rule info endpoint on the server. Querying https://sonarcloud.io/api/rules/show?key=javascript:NonEmptyCaseWithoutBreak does not reflect that this rule corresponds with CWE 484. Is there anything that can be done to modify this endpoint?

Hi,

Perhaps you could describe what you’re trying to accomplish?

 
:slight_smile:
Ann

Yeah, sure. This simplest way to frame it is that I want to know which CWE/OWASP/SANS standard vulnerabilities correspond to each rule that triggers an issue when a project is scanned. My example is javascript:NonEmptyCaseWithoutBreak, which is associated with cwe-484 in the JavaScript plugin; the problem is that this relation does not appear anywhere in the API.

Hi,

It’s still not clear to me what your goal is. But okay.

You can do a text search on rules for your CWE numbers, and from each rule you can get to its issues. On the other side, you can use the Security Category / CWE issues facet to go straight to rules, altho I’m not certain that all analyzers feed the data for that yet. (Note that the UI is fed by web services that can certainly be invoked directly. Your browser’s developer tools will be a big help here.)

 
Ann

Within the sonar-javascript-plugin-5.1.1.7506.jar file there is the following JSON file named NonEmptyCaseWithoutBreak.json:

{
  "title": "Switch cases should end with an unconditional \"break\" statement",
  "type": "CODE_SMELL",
  "status": "ready",
  "remediation": {
    "func": "Constant\/Issue",
    "constantCost": "10min"
  },
  "tags": [
    "cwe",
    "misra",
    "cert",
    "suspicious"
  ],
  "standards": [
    "CWE"
  ],
  "defaultSeverity": "Blocker",
  "ruleSpecification": "RSPEC-128",
  "sqKey": "NonEmptyCaseWithoutBreak",
  "scope": "All",
  "securityStandards": {
    "CWE": [
      484
    ]
  }
}

As far as I can tell, this is what is being relayed when you access /api/rules/show?key=javascript:NonEmptyCaseWithoutBreak, however what is omitted when you go to that web service endpoint is the "securityStandards" data, which is what I need access to.

Really I’m just wondering whether it’s possible to access this data any other way, or if I’ll have to patch the actual API on the server side to get to it. Thanks for the help :slight_smile:

I have addressed this in a pull request: https://github.com/SonarSource/sonarqube/pull/3210