How to configure rules to fall into one of the “Security Category” subcategory

Hi everyone,

I am working with C++ (Community) Plugin 2.0.7. We have modified it in order to implement a new rules repository and a new parser to scan a third party XML report.
We run SonarScanner to scan this XML report which is generated by a third-party source code analysis tool.

Because a new rules repository is used by the third party tool, I have also included a new XML rule map to create the repository based on this third party rules set.

I am using:

• Sonarqube Community Edition Version 8.9.9
• SonarScanner 4.3.0.2102
• C++ (Community) Plugin 2.0.7 → modified to include my own parser and repository

The new rules repository is included into SonarQube coding rules set as a new repository with the fields properly assigned (e.g. severity, type, …).
A set of rules are “Security Category” related.
Below is an example of the fields which I am set for each rule into XML rules map file:

	<rule>
		<key>CWE-125-a</key>
		<name>Avoid accessing arrays out of bounds</name>
		<description>Avoid accessing arrays out of bounds</description>
		<tag>cwe</tag>
		<internalKey>CWE-125-a</internalKey>
		<severity>CRITICAL</severity>
		<type>VULNERABILITY</type>
		<remediationFunction>LINEAR</remediationFunction>
		<remediationFunctionGapMultiplier>5min</remediationFunctionGapMultiplier>
	</rule>

My question is how can rules be defined to fall into the “Security Category” tabs, i.e. “OWASP Top 10” or CWE or “SANS Top 25”.
I have reviewed built-in tags defined in this link: Built-in Rule Tags | SonarQube Docs. I have set some tags, such “owasp” via UI web, not by xml file. But it seems it is not working. Rules are fallen on Security Category → Sonar Source tab.

I do not know if another tag must be used or there is another field what I am not using that is used to this behaviour.

Thanks in advance.
David

Hi,

That plugin isn’t supported here. You should direct your questions to its maintainers.

 
Ann

Hi @ganncamp,
Thanks for your quick reply.

Although this plugin is not supported here, I guess my problem is focused in the definition of XML file with the rules definition.

This plugin is using org.sonar.api.server.rule.RulesDefinitionXmlLoader class. So, I do not know if this way (I know that loading XML is deprecated) allows to set any tag or any param to fall into the “Security Category ” tabs, i.e. “OWASP Top 10 ” or CWE or “SANS Top 25 ”.

If not possible, may be RulesDefinition.Rule.securityStandards() and subsequent change of methodology the solution?

Thanks
David

Hey @falconhunter

You are probably most interested in the addCwe and addOwaspTop10 of the RulesDefinition.NewRule class.

The SANS Top 25 security category is automatically derived from the CWEs attached to the rule. You can poke around the code here to get a feeling for how CWEs filter down into SANS Top 25 categories. This is also how the SonarSource Security Category is constructed.

Hi @Colin

Thanks for your reply. This is what I was looking for.
I am going to try to modify my plugin in order to change the definition of my repository with this class and methods instead of xml loader.

KR

David

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.