Hello,
We are working on two topics related to FIPS these days:
- Support running SonarQube in a FIPS-enforced environment
- Map our existing security rules to this particular STIG U_ASD_V5R3_STIG STIG
Application Security and Development Security Technical Implementation Guide
If our understanding of the FIPS 140-2 compliance is correct, to be compliant with FIPS everything you use to make and run your software must comply with the 240+ STIGs. When we looked at these 240+ STIGs, only the U_ASD_V5R3_STIG STIG was related to code and static analysis.
The effort to map our security rules to U_ASD_V5R3_STIG STIG is done on our side, and the result of this should normally be a report that will show you if you have issues that you must fix in order to have no discrepancy related to the FIPS compliance. We won’t tell you that your code is compliant (I’m not sure anyone can do that on the market), but we will be here to help your developers in that direction. That should come for the next LTS/LTA, which is scheduled for Sept 2024.
Meanwhile, using SonarQube Developer Edition+ will definitely help you toward getting FIPS 140-2 compliance by helping you find and fix security issues.
I would love to hear your perspective and how you approach FIPS 140-2 compliance. Would you be up for a quick call with us?
Alex