Get SEI-CERT coverage - Extract CERT rules

Hi,

I know that I can see the list of rules available for each languages here :
https://rules.sonarsource.com/c/

Would like to extract CERT rules only to know what Sonar Coverage is regarding this standard. The extract will probably be in EXCEL / CSV format (any other is ok, I can transform it later).

The main objective is to know which of the SEI CERT rules are covered by SonarQube checks.

So I could do it by extracting the rules and the associated “See” section.

I could not find a “coverage matrix” of the SEI CERT for C, CPP and Java. Does it exist ?
The SEI CERT website is not always maintained so I guess Sonar maintain the list of covered rules.

Thanks by advance for your answer/help,

Jix

PS : I created a new topic as I did not have any “up to date” answers on the old one here Download SONAR Rules from https://rules.sonarsource.com/c/ - Get help / SonarQube - SonarSource Community

Hi,

Those mapping/coverage reports got killed a while ago.

For building your own reports… we didn’t build the rules site for this type of export so you’re going to end up screen scraping. Another option would be to go directly to the (current) source: our internal RSpec Jira project.

 
HTH,
Ann

Thanks for your answer,

What a suprise. I do not understand why Sonar does not provide this type of matrix. That is more than useful for many users, especially when talking about security compliance of our code against famous standards (SEI-CERT, MISRA and so on).

Moreover, most of the competitors do provide these type of info, so it makes sense to compare the coverage of the different solutions (including Sonar).

I do not have a clear vision of the Sonar strategy/roadmap regarding security checks, but maybe that is not a priority to comply with standards.

I will not do it manually, because it will be a nightmare to maintain. I guess I can consider that I will never have info for that topic, unfortunately.

Hi,

Thanks for your feedback. FYI, I’m moving this to the Feature Request category.

 
Ann

1 Like

Thanks, that is a great feature idea. Would be a pleasure to talk about this topic with Sonar teams. I could enter in the details of my company and customers contexts if necessary.

If you go to our Jira RSpec project, you don’t have to build this matrix manually, but can extract it in a semi automated way with the right query…

1 Like

Hi Loïc,

Sorry for the late reply.
I do not really understand how you do it in a semi automated way. If you can be more accurate it could help a lot.

Thanks by advance

Hello @Jix,

The link provided by Ann in her previous message is already a direct link to a query that will list all C rules with the CERT tag. You can then use this list directly, or export it (for instance in XML format), for any purpose you want.

Hope this clarifies?

Oh I did not understood that Jira RSpec contains all the current rules. I’ll check that. Thanks for your answer.