Don’t know; we have access to it via the web and sonarscanner
What are you trying to achieve?
Trying to determine which SonarQube Rules maps to Fortify Categories and when a match is found, how to trigger this rule to fail just like Fortify fails it.
Fortify spit out errors for the category ‘XML External Entity Injection (XXE) attacks’ in some Java code. The Sonarqube rule ‘Rule for XML parsers should not be vulnerable to XXE attacks’ seems most to match to this Fortify category. However, when the Sonarqube is run on the same Java software, Sonarqube is not showing a finding.
I’m looking for 2 things:
What is the mapping of sonarqube rules to fortify categories?
Why does the rule not trigger in sonarqube if there is such a mapping?