Sonarqube interaction with DefectDojo and Threadfix !?

Rebse · February 18, 2020, 11:01am

Hi,

i want to evaluate some aggregator tools like
DefectDojo https://www.defectdojo.org/ and
ThreadFix https://threadfix.it/

WRT to the Sonarqube integration:

Do you have practical experience with this tools ?
The timestamp of the threadfix documentation of the Sonar plugin is rather old = 2017, it seems the development has stalled !?
What’s the status of https://jira.sonarsource.com/browse/MMF-1672 ?
Also checked https://github.com/DefectDojo/django-DefectDojo/issues/810 , but it’s still not clear,
whether Sonarqube integration works.

Gilbert

dancornell · February 19, 2020, 4:17pm

I’m Dan Cornell from Denim Group / ThreadFix.

We’ve recently updated our SonarQube integration to pull in the results of the updated vulnerability scanning - the vulnerabilities and security hotspots. It is currently a plugin but will be rolled into the main build shortly. If you want to take a look could you please shoot me an email dan at denimgroup dot com or just fill out the contact form at https://threadfix.it/contact/ and mention me/SonarQube in the comments.

Rebse · February 24, 2020, 6:46pm

Welcome Dan

sorry for late response, had been on a business trip.
Just wondering why Sonarqube support is not reflected at https://threadfix.it/integrations/ !?
If this is still work in progress i prefer to evaluate the final good.
Why has https://github.com/denimgroup/threadfix been archived, did you switch from
open source to closed source ?

Gilbert

dancornell · February 27, 2020, 4:46pm

Yeah we need to get the SonarQube/SonarSource integration listed on the integrations page. I’ll ping the folks who maintain the site.

Also we stopped actively maintaining the open source version of ThreadFix a couple of years ago in order to focus on the commercial edition. The economics of the dual open/commercial versions just weren’t working out for us so we chose to focus on the commercial side.

Rebse · February 27, 2020, 8:03pm

As i also didn’t find JFrog Artifactory and XRay on the integration page, are these supported ?

dancornell · February 28, 2020, 1:36am

We don’t have native integrations with those yet, but it should be pretty easy to convert their results to our .threadfix file format:
https://denimgroup.atlassian.net/wiki/spaces/TDOC/pages/496009270/ThreadFix+File+Format
You’d use the “DEPENDENCY” vulnerability type for the results.

You also have to add a new scanner type - docs for that are here:
https://denimgroup.atlassian.net/wiki/spaces/TDOC/pages/23368932/Customizing+Scanner+Severities

Rebse · February 28, 2020, 7:26am

Thanks for the update. For further questions i’ll go via threadfix/contact.