Finding SonarAnalyzer.Security Analyzer

asaiovici · March 5, 2020, 5:11pm

Hi Everyone,
I am trying to enforce some of my Quality Profile rules in Visual Studio through the Sonar Analyzers provided by the SonarAnalyzer.CSharp NuGet. When I look at the rules included in the analyzer though, I see that a subset of rules are excluded – more specifically, the rules of the roslyn.sonaranalyzer.security.cs repo are all missing.

Here is a sample of some of those excluded rules (that we are trying to enforce ourselves):

S2083
S2078
S2631
S2076
S2091
S3649
S5131
S5146
S5145
S5144
S5167

After doing some research, it seems like there’s another NuGet (used, for instance, by the SonarScanner for MSBuild tool) which includes an analyzer by the same name, SonarAnalyzer.Security. Is this NuGet available to the public? Is it available for enterprise users (which we are), and if so, where/how?

Would appreciate any guidance here.

Thanks!

Andrei_Epure · March 10, 2020, 12:29pm

hi @asaiovici

the rules you mention are part of our commercial offering and use a Taint Analysis engine to find security injection vulnerabilities, tracking user input from its source until it reaches a vulnerable sink such as database calls, filesystem access etc.

Check out https://www.sonarqube.org/developer-edition/#security_vulnerability for more details.

However, the injection vulnerability detection rules do not run on SonarLint (even if you are using SQ Developer edition) due to current technical limitations.

asaiovici · March 13, 2020, 1:57pm

Hi @Andrei_Epure, thanks for the response.

I’m actually not running retrieving the Roslyn ruleset directly with SonarLint; instead, we wrote a custom script that generates it. So the script itself could support grabbing the rules from that repo and mapping it onto the SonarAnalyzer.Security analyzer.

Considering the aforementioned analyzer does exist in a NuGet by the same name (as used in SonarScanner for MSBuild), it seems like I’d technically be able to just point to that NuGet locally and use the analyzer within. Is there any other technical limitation that would prevent me from doing that? Can I just host that NuGet myself and use it as such (or better yet, do you guys provide some distribution channel for it)?

Thanks!

Andrei_Epure · March 13, 2020, 2:29pm

hi @asaiovici

As I said, the security injection rules are part of our commercial offering. If you are using

SonarCloud
SonarQube Developer edition or higher

you can use these rules by integrating with SonarQube/SonarCloud via the Scanner for MSBuild

If you are not using a commercial edition of SonarQube/SonarCloud, you cannot use these rules.

We do not offer nuget packages for this commercial offering feature.