Mapping issues with OWASP Top 10


(Abdessamad Temmar) #1

Hi,

I’m using Sonar 7.4 with an external analyser (Banditp) for python source code analysis, and I want to map the identified issues to the OWASP Top 10 report.

Is there a way to do this from the GUI ?

Is it possible to feed the security report (OWASP top10) with issues identified by an external analyzer ?

Thanks for your help,


(G Ann Campbell) #2

Hi,

For this to work, 2 things are going to have to happen:

  1. issues are raised as Hotspots or Vulnerabilities
  2. the “standards” (OWASP mappings) are fed for the issues

You can change the type of an individual issue (but not a rule), but you cannot manually feed the standards data into the issues, so changes would be needed in the plugin.

 
Ann


(Abdessamad Temmar) #3

Thanks for you reply and the useful information.


(Abdessamad Temmar) #4

Hi again,

I’ve created a test rule using a custom plugin, but I can’t get my issue in the OWASP Top 10 security report.

My rule is listed as a vulnerability (see SQL Injection)

But appear as “not OWASP Vulnerability” in the OWASP Top 10 report.

Bellow are details about this rule :

Source code to create the rule :

image

Thanks for your help.


(G Ann Campbell) #5

Hi,

I’m not sure what the code for #2 looks like, but nothing in your code sample jumps out as me as being what’s needed. What’s shown in your screenshots is tags. Standards are a different field.

 
Ann


(Abdessamad Temmar) #6

I’s Ok, I was using an outdated version of sonar API. I’ve mapped the created issue to the OWASP top 10 report using this method :

image

Again, thanks for your help !