DoD Application Security and Development STIG Questions

Must-share information (formatted with Markdown):

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
    SonarQube Developer Edition Version 7.6 (build 21501)
  • what are you trying to achieve
    DoD Application Security and Development STIG Questions
  • what have you tried so far to achieve this
    Get answers to security related questions on how SonarQube is developed and secured to address DOD Application Security and Development STIG Questions

Does the application utilize WS-Security tokens? [V-69279][ V-69285]

Does the application utilize WSS or SAML assertions? If yes does it verify validity periods are checked on all messages using WS-Security or SAML assertions? [V-69281][V-69287][V-69289][V-70197]

How does the application determine if a certification path that includes status information is constructed when certificate validation occurs? [V-70149]

Does the application destroy the session ID value and/or cookie on logoff or browser close? [V-70207][ V-69241]

Does the application store sensitive information in hidden fields? [V-70255]

How does the application protect from Cross-Site Scripting (XSS) vulnerabilities? [V-70257]

How does the application protect from command injection? [V-70261]

How does the application protect from SQL injection? [V-70267]

How does the application protect against XML-oriented attacks? [V-70269]

How does the application protect against input handling vulnerabilities? [V-70271]

How does the application protect against overflow attacks? [V-70277]

Does your application contain embedded authentication data? [V-70363]

Does the application must have the capability to mark sensitive classified output when required? [V-70365]

Does the application utilize SOAP messages? If yes does SOAP messages requiring integrity must include the following message elements:-Message ID, Service Request, Timestamp, SAML Assertion (optionally included in messages) and all elements of the message must be digitally signed? [v-69261]

Does the application ensure each unique asserting party provides unique assertion ID references for each SAML assertion? [V-69283]

Does the application ensure if a OneTimeUse element is used in a SAML assertion? [V-69291]

Does The application ensure messages are encrypted when the SessionIndex is tied to privacy data? [V-69293]

Does the application provide data control flow capabilities? [V-69333][V-69335]

Does the application provide log aggregation services? [V-69359]

Does the application must provide a report generation capability that does not alter original content or time ordering of audit records? [V-69475]

Does the application maintain a separate execution domain for each executing process? [V-70233]

Does the application mitigate DoS attacks by using XML filters, parser options, or gateways? [V-70237]

Does the application restrict the ability to launch Denial of Service (DoS) attacks against itself or other information systems? [V-70239]

Does the application use XML-based web services? If so, does it have an XML firewall function? [V-70243]

Can the application demonstrate their cryptographic hash validation process or provide process documentation? [V-70369]

Hi @nbislicense,

It looks like you’ve also raised your questions in a Support ticket through our service desk, is that correct? If so, to avoid doubling up on responses, our team will get back to you via that channel.



You are correct. I had some issues submitting a support ticket, which I’ve resolved. Once I get answers via that channel, I will share with the community.

1 Like

For posterity:

MMF-2131 - SonarQube provides DOD-approved Docker images

Target “soon”.


FYI, from SonarQube 8.5 you’ll find new releases in the Iron Bank.