I am developing a custom plugin to import a json report from a vulnerability scanning tool.
As the vulnerabilities are known by the external tool but not by sonar, I can’t bind issues on specific rules for those issues. So I have only one rule for all vulnerabilities and I would like to dynamically set the “What’s the risk section” of Security Hotspot.
I did not find any way to do this. The only section which I manage to set is the title of the issue, so my plugin actually set a very long title with CVE number, CVE description, CVVS score, etc.
It is not very readable…
Would it be possible to customize issues to add more details directly from the sensor ?
I’ve moved this to the ‘Product Manager for a Day’ category since you’re asking for something that doesn’t exist.
Would you mind expanding on why your approach is to write a plugin to import external issues, rather than writing a plugin to declare rules in SonarQube? That would give you far more control, although it still wouldn’t give you dynamic rule descriptions.
Yes I am actually using the title to display main information like the CVSS score, the package, its version and its type but I have a lot more information which I could display but the title would become to wide to be easily readable.
I eventually could have few rules, one by package type for example (deb, java, etc) but this would not resolve the main issue of displaying custom large piece of information.
For example I would like to display also a link to the CVE (example : CVE-2007-6755) and the full description :
The NIST SP 800-90A default statement of the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm contains point Q constants with a possible relationship to certain "skeleton key" values, which might allow context-dependent attackers to defeat cryptographic protection mechanisms by leveraging knowledge of those values. NOTE: this is a preliminary CVE for Dual_EC_DRBG; future research may provide additional details about point Q and associated attacks, and could potentially lead to a RECAST or REJECT of this CVE.