Sonarcloud - scanning for security issues vs proprietary tools & findbugs/pmd

I am currently using to scan an open source project I’m working on.

How comparable are the built in rules with the checks done by pmd & findsecbugs (spotbugs+find-sec-bugs) on java code?

I have integrated both as external analyzers, and can see issues tagged findsecbugs & pmd in sonarcloud. I’m unclear how to filter them though, or how they feature in the metrics, and whether additional configuration is helpful.

How comparable is the sonar java scanner with proprietary tools like Fortify static analyzer (which also makes use of findbugs) both in terms of static code analysis, and bytecode analysis?

I’ve been comparing Fortify reports with sonar, pmd, findbugs

So far the critical/high sev issues I’ve seen reported by Fortify by the Data Flow & Control flow analysers are basically not appearing at all in Sonar, pmd, or spotbugs :frowning:

Looking for recommendations for any plugins/ways to close the gap (ideally sonarcloud). Maybe there aren’t any …

Hi @planetf1,

It’s not always easy to compare analysis tools, some are better in one domain, others in other domain. Here we could help you about SonarJava. For PMD, findsecbugs and Fortify I would advise you to check their community support.

So if you want, you can show some examples of issues found by Fortify and not found by SonarJava, may be it’s possible to improve SonarJava.

I’m not sure there is a way to close that gap at least on sonarcloud (as it’s not possible to install community plugins). May be you can find other tools which reports you can import at external.

Hello @planetf1,

I’m really interested to have more details about the issues you would expect SonarCloud to discover. Today, our data flow engine is running in the background of the following rules for Java:

  • S3649: SQL Injection
  • S5131: XSS
  • S5146: Open Redirect
  • S5167: HTTP Response Splitting
  • S2083: Path Traversal Injection
  • S2078: LDAP Injection
  • S5145: Log Injection
  • S2076: OS Command Injection
  • S2631: RegExp Injection
  • S5144: Server-Side Request Forgery (SSRF)
  • S2091: XPath Injection
  • S5135: Deserialization Injection
  • S5334: Code Injection

Can you share a link to the open source project you scanned on SonarCloud?
Edit: I guess the project you are talking about is: