SAST RESULTS REPORTS for Compliance

Hello,

We are in a paid plan and we require a report representing the results of the SAST.
I want to print a report from the SAST, the report is required for compliance (evidence). The report purpose will serve as evidence that the coded has SAST evaluation and present the findings. (Similar to a Vulnerability Scan Report, or a DAST report. These reports present findings in a readable manner to non technical auditors).

Hello @mrod,

Such feature is not available on SonarCloud but it is available on SonarQube Enterprise Edition. It’s called “Security Reports” (see https://www.sonarqube.org/features/security/, in the bottom of the page).
There is no plan in 2020 to add such compliance report on SonarCloud.

Regards

Alexandre_Gigleux,
Okay so I am using https://sonarcloud.io. Is there any APIs that I can use to try and generate my own reports? and Is there a way I can see the findings on say IntelliJ?

Hello,

SonarCloud provides an API that is documented here: https://sonarcloud.io/web_api/api/issues?query=issues

SonarLint is here to provide immediate feedback for developers in the IDE. It doesn’t show yet all the issues raised by SonarCloud (in particular Security Hotspots and Taint Analysis issues) but that’s still a good way to catch almost all of them before they even exist.

Regards
Alex

Do you know where I can find documentation for SonarLint? I am using IntelliJ and I am having a hard time binding the projects to my sonarCloud.

SonarLint - Invalid binding Project bound to an invalid remote project

Does that mean sonarcloud is capable of performing SAST but not the report? It is not very clearly mentioned that is it just the reporting that is an additional feature or the scanning too.
Thanks!

I confirm SonarCloud does SAST for Java, C#, PHP, Python, JS, TS, C and C++ but doesn’t provide the Security Reports feature I mentioned.

If I understand well your need, you want a way to do a snapshot of your security issues into a human readable format that you will use as an evidence of your security level? Is that correct?

First of all, thanks for such a quick response.

The reason I’m asking it is because its mentioned in here from one of the SonarSourcer. Athough it does not say anything about sonarcloud. So does sonarcloud have different edition as well or do we get full scanning capabilities and just the reporting thing is different?

And yes we need the visual representation as well. But mainly we want to be sure that the SAST scan isn’t different than from sonarqube enterprise edition.

Am I right that Community Edition has a limited number of vulnerabilities?

We provide a lot of Security Vulnerability and Security Hotspot rules with SonarQube Community Edition (CE). With the Developer Edition and above, you also have access to the Taint Analysis/Injection rules on top of what is provided with CE.

I confirm that with SonarCloud you have access to the “full SAST scanning capabilities” and only the reporting think is different. With SonarCloud you always have the latest and greatest analyzers because all our analyzers are deployed on it as soon as they are available.

Hey Alexandre, we are also on SonarCloud paid plans for multiple organizations but were surprised to find that was not even a basic SAST reporting feature in the tool. SAST reports need to be provided as a documented proof of code quality from security perspective to auditors and other stakeholders. As a tool SonarCloud is fantastic and developers love it but it really needs to have (even basic) SAST reporting features. Is this feature expected to be introduced in the near future?

We could imagine to add this feature but if we do it, it should be for very good reasons.
Today, if your Quality Gate is correctly configured and contains the requirements of your developers, security auditors or other stakeholders, the only proof you have to show is that your Quality Gate is green. If it’s green, then you can deploy safely because it means all indicators are the expected levels expected by all stakeholders. If it’s red, you must not deploy.

Still, I can understand that for some companies it’s hard to rely on just 1 single measure and trust it.
So what would you expect to see on these SAST reports and why multiple reports?