Interesting suite of plugins for componet analysis java

hi,

A range of sonarqube plugins that cover different aspects of https://www.owasp.org/index.php/Component_Analysis

License : https://github.com/porscheinformatik/sonarqube-licensecheck
Known Vulnerabilities : https://github.com/SonarSecurityCommunity/dependency-check-sonar-plugin
Outdated Components : https://github.com/reallyinsane/mathan-dependency-updates-sonar-plugin

https://bitbucket.org/excentia/sonarqube-tattletale-plugin/src/master/ no 7.9(only 5.6) support but provides

• Identify dependencies between JAR files
• Find missing classes from the classpath
• Spot if a class/package is located in multiple JAR files
• Spot if the same JAR file is located in multiple locations
• With a list of what each JAR file requires and provides
• Verify the SerialVersionUID of a class
• Find similar JAR files that have different version numbers
• Find JAR files without a version number
• Find unused JAR archives
• Identify sealed / signed JAR archives
• Locate a class in a JAR file
• Get the OSGi status of your project
• Remove black listed API usage
• And generate the same reports for your .WAR and .EAR archives

best regards

Hello,

Are you looking for volunteers to bootstrap a SCA plugin for SonarQube?
Can you clarify what is the goal of your post?

Alex

Just wanted to share a good set of plugins for sca, but maybe posted in wrong forum.

best regards

Talked about this plugins at https://www.meetup.com/Javaforum-Goteborg/events/257209883/ :Secure your development pipeline presentation

https://github.com/Hack23/talks/raw/master/SecureDevelopmentPipeline20190919.odp (libreoffice original)

https://github.com/Hack23/talks/raw/master/SecureDevelopmentPipeline20190919.pptx

also recommend reading https://alphabravo.io/wp-content/uploads/2019/09/DoD-Enterprise-DevSecOps-Reference-Design-V1.0.pdf

best regards