Don’t know; we have access to it via the web and sonarscanner
What are you trying to achieve?
Trying to determine which SonarQube Rules maps to Fortify Categories and when a match is found, how to trigger this rule to fail just like Fortify fails it.
Fortify spit out errors for the category ‘XML External Entity Injection (XXE) attacks’ in some Java code. The Sonarqube rule ‘Rule for XML parsers should not be vulnerable to XXE attacks’ seems most to match to this Fortify category. However, when the Sonarqube is run on the same Java software, Sonarqube is not showing a finding.
I’m looking for 2 things:
What is the mapping of sonarqube rules to fortify categories?
Why does the rule not trigger in sonarqube if there is such a mapping?
The SonarQube rule in question is Java (XML parsers should not be vulnerable to XXE attacks).
XXE being XML External Entity. These are used for denial of service.
Would you please provide example code that would trigger any of the XXE rules?
I’m referring to the edition of SonarQube (Community, Developer, Enterprise, Data Center), not the version. In particular, because these rules are only executed in Developer Edition and above ($).