Sonar Cloud Security Configuration

ayush_sharma · April 17, 2024, 3:17pm

Sonar has a module, Sonar Cloud. How can i set up a thorough secure code review with all the possible vulnerabilities, setting up hotspot. I have worked closely with sonar cloud but failed to find the vulnerabilities in code but other tools report more observations. Also, Sonar Lint is one of the IDE incorporated solution which doesn’t solves my purpose of a secure code. Need help to fine tune the security configuration if any?

ganncamp · April 18, 2024, 3:06pm

Hi,

Welcome to the community!

Taint analysis rules purposely aren’t run in SonarLint because they would drag down the IDE performance.

Are they correct observations? It’s not a quantitative game, but a qualitative one.

And if there are true-positive issues raised by other tools, but not by us, we’re eager to learn of them so we can fix the problem.

Ann

ayush_sharma · April 19, 2024, 4:52am

Yes, there were many not been reported by Sonar Cloud. Basic hardcoded credentials was even not been reported by Sonar.

I am open to have your support team help me with an SOP to setup a thorough Security Profile.

I am ok, have documentation from your end as well, I am ok to be proved wrong but as mentioned above many of them are not reported by Sonar.

ganncamp · April 19, 2024, 12:34pm

Hi,

Could you give an example of a hardcoded credential that wasn’t picked-up on?

Thx,
Ann

ayush_sharma · June 7, 2024, 3:55pm

DB credentials stored in the credentials are the examples. I would like to know the list best security practices for Sonar Cloud.

ganncamp · June 7, 2024, 4:15pm

Hi,

I’m looking for an example / reproducer. Are we talking about credentials hard coded in a DB connection string?

Thx,
Ann

ayush_sharma · June 10, 2024, 2:07am

ayush_sharma · June 10, 2024, 2:11am

Need security checklist to ensure practices have been followed to avoid such observation as in screenshots.

ganncamp · June 10, 2024, 11:52am

Hi,

What kind of file is that in your screenshot? What’s the file extension?

Thx,
Ann

ayush_sharma · June 11, 2024, 2:08am

hi,
Why are you asking use less questions. When you can see the other tools reports gives me the output but not if you have list security controls to get better results please let me know. Kindly dont waste your and my time in this with these irrelevnt questions.

ganncamp · June 11, 2024, 11:56am

Hi,

You’re reporting a false negative. Without the details of

language
rule
reproducer

then all I have is “something’s wrong”, and there’s not much I can do with that.

Looking more closely at your screenshot, it seems the file type is .js. Knowing the language, I can verify that we do have a rule for that: S2068, which is a Security Hotspot rule.

Have you checked the Security Hotspots tab?

Ann