Are there any tools or further documentation on how to configure SonarQube/SonarSource to do Security Engine(SAST) scanning? This page Security Engine Custom Configuration | SonarQube Docs advises providing a json file that goes down to a very high level of detail. Is there anything to help with generating that json. It seems extremely impractical to produce by hand. It seems like it wants you to compile the code into class files and manually pull out the methodIds to use, but for a baseline of any significant size that would be completely impractical. It Is it something that can produced by the scanners? It is expected that this will only apply to a few methods? It appears that there used to be analysis parameters, but they are now deprecated.
Out-of-the-box, SonarQube includes an immense amount of configuration (sources, sanitizers, passthroughs, and sinks) for various languages and their frameworks.
This feature is really intended for organizations who have their own internal libraries that need to be added on top of this configuration, and yes – if you need to generate that data, it is a manual process.