SonarQube 6.7 OWASP check

Dear Sonar team,
could you please explain how works OWASP checking with sonar-dependency-check-plugin?
I mean is there any flow inside of SonarQube separated of the plugin (plugin just reads the report as I understand).

Some other questions related to the flow:

  1. Can I increase the verbosity of reports?
  2. How can I find documentation for the flow (for my particular SonarQube version)?

SonarQube v6.7.6.38781 LTS
Sonar-dependency-check-plugin-1.1.1.jar

Hello @ep4sh
sonar-dependency-check-plugin is a community plugin not maintained by SonarSource.

All the information you request is likely to be available on the project’s GitHub repository.

Eric

1 Like

Eric,
thanks for your reply, could you please clarify if in SonarQube v6.7 there is something like Security-related rules (as in SonarQube v8.1) or all activity provided by Sonar-dependency-check-plugin?

Hello,

SonarSource started to provide serious and solid security features (taint analysis, security hotspots, reports, …) starting from SonarQube 7.9 LTS, last July 2019 (https://www.sonarqube.org/features/security/). So it’s highly recommended to upgrade to it or better to the latest where we are continuously enhancing the accuracy and performance of the taint analyzer and other security-related rules.

What is provided by “sonar-dependency-check-plugin” is a SCA (Software Composition Analysis) feature and SonarSource decided to concentrate on SAST (Static Application Security Testing) features.

Regards

2 Likes