Must-share information (formatted with Markdown):
Version: 9.9 LTS (latest version)
Deployed Instance: Dockerized Container
CI Flow: Bitrise.io using the SonarQube Scanner step to submit build / repo to sonarqube instance
What do you want to achieve?
What have you tried so far to achieve this?
I tried setting the
sonar.sources property in the CI step to include the podfile but it didnt seem to change the result. Is this even possible to do? Any thoughts on how I might do it?
Hello Brad and thank you for the interest,
Are you asking if SonarQube can analyze the dependencies declared in your Cocoa Pods file for known vulnerabilities in the same way as dependabot does?
Yes. I currently have to do a manual OWASP scan in our own CI and I can’t even upload the report file it produces to sonarqube to store the current report I manually make.
I would prefer sonarqube to do the scan on podfile.lockfile and report vulnerabilities in its dashboard. If sonarqube can’t scan the cocoa pods using the lockfile and give me vulnerability report, it sort of defeats the purpose of paying for sonarqube for swift based apps at this point as it keeps saying our code has 0 vulnerabilities. The entire purpose we got scanning was to scan for vulnerabilities, which is apparently can’t do as it eternally says 0 in every scan. OWASP scan returns 6 vulnerabilities, 2 of which are Critical level. The “duplicate code” and “Bugs” work, but are pretty useless.
We don’t do SCA. (I didn’t realize that’s what you were asking for in our previous conversation.) Since the functionality doesn’t exist, I’m going to move this topic to the Product Manager for a Day category.
Is there a way I can upload my manually created report done via OWASP scanner to the sonarqube scan report in that case then? like “Additional files” or something?
My output generates an HTML file report from the owasp tool API and if I could use Sonarqube as a singular dashboard for compliance monitoring perhaps I can get my Sec Ops boss to keep the system running*.
Doh! I meant to mention that & got distracted.
I’m guessing you’re using the OWASP Dependency Check tool to check your podfiles? A little digging reveals that it will export to a
--format SARIF, which you can then import into analysis. Failing that, you can convert your reports to the Generic Issues format, and import them that way.
Brilliant, thanks will try it - am being forced into full SOC2 compliance audit nov 1 so forgive the scramble as we’re having to determine what tools we keep for the audit or not and I love the dashboard but our biggest holes in security are our vulnerabilities, this will help a lot