I am developing a custom plugin to import a json report from a vulnerability scanning tool.
As the vulnerabilities are known by the external tool but not by sonar, I can’t bind issues on specific rules for those issues. So I have only one rule for all vulnerabilities and I would like to dynamically set the “What’s the risk section” of Security Hotspot.
I did not find any way to do this. The only section which I manage to set is the title of the issue, so my plugin actually set a very long title with CVE number, CVE description, CVVS score, etc.
It is not very readable…
Would it be possible to customize issues to add more details directly from the sensor ?
I’ve moved this to the ‘Product Manager for a Day’ category since you’re asking for something that doesn’t exist.
Would you mind expanding on why your approach is to write a plugin to import external issues, rather than writing a plugin to declare rules in SonarQube? That would give you far more control, although it still wouldn’t give you dynamic rule descriptions.
To be more precise, I am writing a plugin to import the result of a Grype scan with a json file.
I can see different reasons of why I am not writing a plugin to declare rules directly in Sonarqube:
Grype do the major part of the work, it looks very difficult to to write an entire plugin which do so many things
Grype scans an entire container image, so a lot more than we can analyze with only the source code of an application (linux packages particularly)
in my approach, I have only one rule declared by the plugin : “A component with a known vulnerability is used” and I don’t see other rules which can be useful on my case.
In fact, the only missing thing is just the ability to add a custom information message on an issue. I am thinking of using comments for this…
You can certainly customize the message/title per issue. No need to use comments.
And I still suspect you would benefit from having more than one rule registered in SonarQube by your plugin. Surely there are broad categories of findings from the tool?
Hi,
Yes I am actually using the title to display main information like the CVSS score, the package, its version and its type but I have a lot more information which I could display but the title would become to wide to be easily readable.
I eventually could have few rules, one by package type for example (deb, java, etc) but this would not resolve the main issue of displaying custom large piece of information.
For example I would like to display also a link to the CVE (example : CVE-2007-6755) and the full description :
The NIST SP 800-90A default statement of the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm contains point Q constants with a possible relationship to certain "skeleton key" values, which might allow context-dependent attackers to defeat cryptographic protection mechanisms by leveraging knowledge of those values. NOTE: this is a preliminary CVE for Dual_EC_DRBG; future research may provide additional details about point Q and associated attacks, and could potentially lead to a RECAST or REJECT of this CVE.
