Mapping SonarQube Rules to Fortify Categories

dipti · January 31, 2024, 11:07pm

SonarQube Version: 10.3 (build 82913)

How deployed?

Don’t know; we have access to it via the web and sonarscanner

What are you trying to achieve?

Trying to determine which SonarQube Rules maps to Fortify Categories and when a match is found, how to trigger this rule to fail just like Fortify fails it.

Fortify spit out errors for the category ‘XML External Entity Injection (XXE) attacks’ in some Java code. The Sonarqube rule ‘Rule for XML parsers should not be vulnerable to XXE attacks’ seems most to match to this Fortify category. However, when the Sonarqube is run on the same Java software, Sonarqube is not showing a finding.

I’m looking for 2 things:

What is the mapping of sonarqube rules to fortify categories?
Why does the rule not trigger in sonarqube if there is such a mapping?

Colin · February 2, 2024, 8:45am

What edition of SonarQube are you using?

I wouldn’t say there is one.

Great question! Can you share the code where you expect an issue to be raised?

dipti · February 6, 2024, 4:05pm

I appreciate the response.

The SonarQube rule in question is Java (XML parsers should not be vulnerable to XXE attacks).
XXE being XML External Entity. These are used for denial of service.

Would you please provide example code that would trigger any of the XXE rules?

Colin · February 7, 2024, 10:56am

I’m referring to the edition of SonarQube (Community, Developer, Enterprise, Data Center), not the version. In particular, because these rules are only executed in Developer Edition and above ($).

You can find non-compliant code examples in the rule description.

dipti · February 12, 2024, 6:44pm

We have Enterprise Edition of SonarQube