SonarQube Security Scanning

Rozo · January 6, 2020, 3:51pm

Hi,

I just tried SonarQube and have a few questions:

Since we are using it for security vulnerabilities, is there any way to filter that part of the application? best i could find is to scan a project and then filter using the api, is that the only way?
Is there any way to scan a project without compiling\binaries? what happens if a project fails to compile?

Thanks

ganncamp · January 7, 2020, 4:58pm

Hi,

Welcome to the community!

It’s not clear what type of filtering you want to do. If you want to analyze only part of the project, you can do that with exclusions. If you want to analyze the whole project but only with Security rules, then just create a Quality Profile containing only those rules and assign the project to it.

Assuming we’re talking about Java, C, C++, Objective-C, or C#, no.

Then it’s not analyzable but that’s not such a crisis because it’s not deployable either.

HTH,
Ann

Rozo · January 7, 2020, 10:55pm

Thanks Ann

I’m looking for something similar to Hp’s Fortify or Checkmarkx so only security rules, but as far as i’ve on a few “vulnerable” projects even with all the analyzers the quality of the findings is very poor to say the least and it doesn’t find actual issues like SQLI in the code even tho it’s vulnerable

Is this still an OWASP project or has it outgrown its original purpose and became a code quality tool?

eric.therond · January 8, 2020, 8:09am

Hello @Rozo
SonarQube/SonarCloud has great ambitions for the code security domain. Currently, many different vulnerabilities are supported (but note that injection rules like SQLi are only available starting SonarQube Commercial Edition).

We always welcome feedback from the community to improve our detection engine, if you can share the vulnerable code samples where SQ/SC is unable to find any issues we will look into that.

Eric

ganncamp · January 8, 2020, 1:47pm

Hi,

Just to be clear, SonarQube has never been an OWASP project. It began as a code quality tool, and is growing into a security tool.

Ann

Rozo · January 8, 2020, 5:57pm

Ok… what about this then?
https://www.owasp.org/index.php/OWASP_SonarQube_Project#tab=Main

ganncamp · January 8, 2020, 6:10pm

Separate but related. From your link:

This project aims to enable more security functionalities to SonarQube and use it as an SAST

Ann

Rozo · January 11, 2020, 7:25pm

One more question regarding this part, if this is true then it overrides the rules list?

eric.therond · January 13, 2020, 8:21am

Injection rules are additional security rules.

The rule RSPEC-2077 is a hotspot, it will raise whenever formatted queries are found (the goal is to lead you to the proper use of prepare statements which are good for security and performance).

If a SQL injection is found, the rule RSPEC-3649 (available starting SQ Commercial Edition) will be triggered.

Eric

Carlos_Gaspar · May 5, 2023, 4:07pm

Hi!
Sorry for recover such an old message.
But I’m having a hard time to understand which are the security issues supported by the commercial editions (DE or EE) and not supported by the community edition.
Could you please tell me where this information is available (or how to find out it)?
Thanks in advance

ganncamp · May 8, 2023, 4:20pm

Hi,

Welcome to the community!

You’ve resurrected a 3y-old thread. Please don’t do that.

You can find information about which rules supported in which edition in the rules site.

If you have further questions, please create a new thread.

Ann