SonarQube Security Scanning

Hi,

I just tried SonarQube and have a few questions:

  1. Since we are using it for security vulnerabilities, is there any way to filter that part of the application? best i could find is to scan a project and then filter using the api, is that the only way?
  2. Is there any way to scan a project without compiling\binaries? what happens if a project fails to compile?

Thanks

Hi,

Welcome to the community!

It’s not clear what type of filtering you want to do. If you want to analyze only part of the project, you can do that with exclusions. If you want to analyze the whole project but only with Security rules, then just create a Quality Profile containing only those rules and assign the project to it.

Assuming we’re talking about Java, C, C++, Objective-C, or C#, no.

Then it’s not analyzable but that’s not such a crisis because it’s not deployable either.

 
HTH,
Ann

1 Like

Thanks Ann

I’m looking for something similar to Hp’s Fortify or Checkmarkx so only security rules, but as far as i’ve on a few “vulnerable” projects even with all the analyzers the quality of the findings is very poor to say the least and it doesn’t find actual issues like SQLI in the code even tho it’s vulnerable

Is this still an OWASP project or has it outgrown its original purpose and became a code quality tool?

Hello @Rozo
SonarQube/SonarCloud has great ambitions for the code security domain. Currently, many different vulnerabilities are supported (but note that injection rules like SQLi are only available starting SonarQube Commercial Edition).

We always welcome feedback from the community to improve our detection engine, if you can share the vulnerable code samples where SQ/SC is unable to find any issues we will look into that.

Eric

1 Like

Hi,

Just to be clear, SonarQube has never been an OWASP project. It began as a code quality tool, and is growing into a security tool.

 
Ann

Ok… what about this then?
https://www.owasp.org/index.php/OWASP_SonarQube_Project#tab=Main

1 Like

Separate but related. From your link:

This project aims to enable more security functionalities to SonarQube and use it as an SAST

 
Ann

1 Like

One more question regarding this part, if this is true then it overrides the rules list?
https://rules.sonarsource.com/java/tag/cwe/RSPEC-2077

Injection rules are additional security rules.

The rule RSPEC-2077 is a hotspot, it will raise whenever formatted queries are found (the goal is to lead you to the proper use of prepare statements which are good for security and performance).

If a SQL injection is found, the rule RSPEC-3649 (available starting SQ Commercial Edition) will be triggered.

Eric

1 Like