After the log4j-vulernability hit, my organization tasked me with re-analyzing all SonarQube-projects to uncover the scope of this issue.
I use Dependency-check and the SonarQube plugin for security scanning.
Dependency-check discovers the vulnerability and it is reported in SonarQube.
But when I want to retrieve all components who has got this vulnerability I am limited by SonarQube categorizing everything Dependency-check reports as CWE-937. There is no way for me to search for CVE-2021-44228 which is the issue I need to report on. See image below.
What I want is for SonarQube to retreive the CVE that is listed in the vulnerability enabling me to search for exact CVE’s.
Let’s be clear. SonarQube doesn’t classify everything as CWE-937. Dependency-check does. Perhaps you’d like to raise an issue on that project.
Hi @ganncamp and thank you for replying. There is a similar request on the Plugin-repo, but reading that it looks like SonarQube doesn’t allow the use of other CWE’s during runtime analyses?
From the issue:
" This plugin is using only two rules (one with Security Hotspot function and one without). Currently SonarQube does not support overwriting or adding more cwes at runtime.
As far as I know the rules cannot be changed after startup and it is not possible to add suitable rules dynamically.
Please note that CWE-937 applies to all vulnerabilities as described in the official documentation."
Can you verify that it is possible to classify with whichever CWE you want?
When looking at the “Rules” in SonarQube, there is a limited number of tags that can be used. This is the issue at hand.
Can you please reply to my above questions @ganncamp? Or anyone else?
My understanding is that rule developers can assign whatever tags they’d like.
Ok, thank you for your reply