SonarQube OWAPS security rules update

(pirespoon) #1

hi All,
I am evaluating SonarQube Version 7.6 (build 21501) as static code analysis tool for my company. So far we are happy with the result and featuares provided by SonarQube but we came across some questions on how can we update the security rules in SonarQube if there are updates in OWASP, CWE, WASC, SANS and CERT security standards. I can’t find the information in google.
May I know if there any plugins for these rules (But I can’t find any developed by SonarQube in marketplace) ? or the security rules are tie to the SonarQube version, ee need to update SonarQube version if there are any updates in the security standards ?

I hope if anyone of you can shed some lights on this. Thank you !
(Alexandre Gigleux) #3

Hello,

It would be better to consider to rely SonarQube 7.7 Developer Edition as it contains the latest version of our taint analyzer coming with 11 injection vulnerability rules on top of the existing Vulnerabilities and Security Hotspots on Java, PHP and C#.

Majority of the Security Hotspot and Vulnerability rules are activated by default, so you have nothing to do. If you want to activate more, you need to create a custom Quality Profile and associate it to your Project.

To get the latest version of the rules or new rules, you need to upgrade:

  • your analyzers
  • or your SonarQube version if you are running SonarQube Developer Edition+ because each upgrade of SQ DE is coming with enhancements of the Injection Rules (as of now 11 rules).

I let you search in our Rules Repository where you can search by tag to find the rules coverage ofOWASP, SANS, CERT or CWE.

Regards

(xusheng) #5

Hello Alexandre,

Thanks for sharing the information.

Currently we are facing similar issue as what had been mentioned by the thread starter whereby
everytime when we would like to update to the latest rules set, the only option is to update the version of sonarqube which is rather risky.

Thus i am very interested to find out the analyser that you had mentioned. Especially on how does it work and where can i find it as i cant seem to locate that in my existing SonarQube which is running on ver 7.6 as well.

Hope to hear from you soon on this.

Thanks

(Alexandre Gigleux) #7

Hello,

All the analyzers provided as plugins can be easily upgraded from the Marketplace. It’s a matter of one click and reverting is as simple as replacing a JAR file in the extensions/plugins directory. But honestly I don’t see why you would need to revert a plugin upgrade.

For the Injection Vulnerability Rules, there is no other choice than upgrading SonarQube because they are provided by SonarQube itself. Upgrading is easy and not risky if you take the time to do a backup of your DB before running the upgrade process. Everything is described here: https://docs.sonarqube.org/latest/setup/upgrading/