Can SonarQube scan the source code for FIPS 140-2 compliance?

Hi ,

Can SonarQube be used to scan source code to check for FIPS 140-2 compliance?

FIPS (Federal Information Processing Standards) are a set of standards that describe document processing, encryption algorithms and other information technology standards for use within non-military government agencies and by government contractors and vendors who work with the agencies in US. We are trying to specify if our software components are FIPS compliant or not.

Welcome :slight_smile:

there was already a similar question in 2020, the answer was

Gilbert

Thank you for you response.
The publication mentioned in this post is quite old. Does the aforementioned rule support this publication - SP 800-53 Rev. 5, Security and Privacy Controls for Information Systems and Organizations | CSRC

Hi,

Notwithstanding the fact that we map rules to applicable sections in standards, Sonar doesn’t offer compliance tools. So even if we had FIPS-related rules (which I don’t believe we do), you wouldn’t really be able to use SonarQube to show FIPS compliance.

That said, I’m going to flag this for the Product Managers so they can log your interest in FIPS-related rules.

 
Ann

Hello,

We are working on two topics related to FIPS these days:

If our understanding of the FIPS 140-2 compliance is correct, to be compliant with FIPS everything you use to make and run your software must comply with the 240+ STIGs. When we looked at these 240+ STIGs, only the U_ASD_V5R3_STIG STIG was related to code and static analysis.

The effort to map our security rules to U_ASD_V5R3_STIG STIG is done on our side, and the result of this should normally be a report that will show you if you have issues that you must fix in order to have no discrepancy related to the FIPS compliance. We won’t tell you that your code is compliant (I’m not sure anyone can do that on the market), but we will be here to help your developers in that direction. That should come for the next LTS/LTA, which is scheduled for Sept 2024.

Meanwhile, using SonarQube Developer Edition+ will definitely help you toward getting FIPS 140-2 compliance by helping you find and fix security issues.

I would love to hear your perspective and how you approach FIPS 140-2 compliance. Would you be up for a quick call with us?

Alex

1 Like

A post was merged into an existing topic: To currently enhance the security posture of our application environment to comply with STIG