No Go Vulnerabilities rules in SonarQube

l.cristiani · November 29, 2021, 3:01pm

Hello everyone,
first of all I think it’s useful to notify that I’ve read this thread:

nevertheless I think maybe now it’s time to add some vulnerabilities rules related to Go.
It’s true that one can import external scanner results, it’s true that one can define custom rules, but I hope that a best of breed solution such as SonarQube could have its own Go vulnerabilities coverage.
All the best,
LC

Alexandre_Gigleux · December 3, 2021, 7:41am

Hello,

I can only agree with you and tell that this is a feature that we are considering for 2022.

Alex

l.cristiani · March 29, 2022, 1:55pm

Hello,
did the project to include SAST GoLang coverage in SonarQube have any evolutions?
Best

l.cristiani · April 27, 2022, 9:59am

Hi all,
there are several posts regarding this issue, but I see no news about it so far, so I create a new post.
I think maybe now it’s time to add some vulnerabilities rules related to Go.
It’s true that one can import external scanner results, it’s true that one can define custom rules, but I hope that a best of breed solution such as SonarQube could have its own Go vulnerabilities coverage.
All the best,
LC

Colin · April 27, 2022, 1:05pm

Hey there.

This is something we’re already listing as under consideration on our roadmap. It would be great for you to add your voice there: https://portal.productboard.com/sonarsource/3-sonarqube/c/215-sast-for-go

l.cristiani · April 27, 2022, 3:26pm

Hi Colin,
I’ve already added my voice there, probably twice (by mistake), I am one of the 13 who expressed interest in the feature, unfortunately I see no progress and didn’t get any update.
Best,
LC

CameronG · January 3, 2023, 4:26pm

There is a command line tool, govulncheck, available as part of the Go toolset. This seems like an ideal mechanism for reporting vulnerabilities to Sonar, perhaps in a similar way to how test reports and the lint reports are processed by Sonar. More info on this is available here: govulncheck command - golang.org/x/vuln/cmd/govulncheck - Go Packages

Loris_Sierra · June 5, 2023, 2:13pm

Hello everyone,

Thank you for your impressive patience. We should start working on Golang this year. It’s not the highest priority on our roadmap, but our AppSec research team should at least start doing the research that will bring detection capabilities.

Until then, Cameron’s alternative should be ok!

Cheers,

Loris