Pulling total vulnerability count from fixed point in timeline from SonarQube API

krl · April 15, 2020, 5:37pm

which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)

Version 7.7

what are you trying to achieve

As part of an ask from my employer they would like to capture the total vulnerabilities in SonarQube from the previous week. For example, in week 1 say there are already 20 vulnerabilities in SonarQube. During week 1 an additional 10 vulnerabilities were created giving us a total of 30. Also, during that week lets say 6 are closed as false-positives, 9 are closed as won’t-fix and 2 are closed as fixed. Our total vulnerabilities in SonarQube after that are now 13.

The issue here is that when we pull the SonarQube issues into an excel sheet for analysis I have no way of pulling the total vulnerabilities from a fixed point in time. Ideally… I’d like to know what was the TOTAL vulnerabilities (both outstanding and newly created) from last week, thus the 30 vulnerabilities I mentioned earlier. Using the SonarQube API’s there is only a way to pull current numbers and not numbers from a fixed date in the timeline that I’ve seen.

There is also an additional problem of vulnerabilities changing their resolution or status as they’re worked on by R&D. As vulnerabilities state (resolution, status) change, I have not found a way to corollate them back to the previous week. The only way I have found this to be possible was if the vulnerability was in fact created during the previous week and thus I can filter by the creation_date column in the API. However, like in my example, if we have 20 outstanding vulnerabilities from say several months ago that were closed, marked as false-positive, etc… during the previous week then I have no way of knowing they should be counted as part of the TOTAL vulnerability count for the previous week.

Also, filtering by updated date could be an option but from what I’ve seen filtering by updated_date seems to produce incorrect results especially when trying to pull items whose resolution is now labeled under false-positive, removed, fixed, and won’t-fix.

I would love to have a discussion with anyone who has worked on a similar issue like this before. I’m happy to share in more detail what I’ve tried so far but, what I wrote above should you a general idea of the issue I am looking to resolve.

Thank you the help!

Colin · April 15, 2020, 5:46pm

Kevin,

It really seems that what you want already exists in the Activity tab of your SonarQube project.

An example from SonarSource’s instance of SonarQube (selecting Vulnerabilities as the custom metric to display):

https://next.sonarqube.com/sonarqube/project/activity?custom_metrics=vulnerabilities&graph=custom&id=org.sonarsource.orchestrator%3Aorchestrator-parent

This shows the total outstanding vulnerabilities over time. GET api/measures/search_history is the Web API being used if you really need to export this information outside of SonarQube.

krl · April 16, 2020, 3:41pm

Hi Colin,

Thank you for your reply. This Activity tab looks to display metrics per project instead of combination of all projects. What I am really looking for is to capture the combined vulnerability data from all projects in SonarQube and display this as a single metric in an excel sheet.

Provided, I could potentially call the API for each project separately to get their total vulnerability counts from the previous week but, given the number of projects we have and the rate at which new projects are created and old ones are removed this seems less than optimal.

Unless I misunderstand the capabilities of the activity tab, does SonarQube have something to accomplish what I’ve described above?

Colin · April 16, 2020, 9:15pm

Aggregating the metrics of many projects can be accomplished with Portfolios available in the Enterprise Edition of SonarQube ($).