ZAP Tool Integration with SonarCloud

We are trying to get the OWASP ZAP scanning result to be processed in SonarCloud, so the result can be published in SonarCloud dashboard. We don’t know how. Do we need a plug in? Can anyone please help!

Hi,

Welcome to the community!

SonarCloud doesn’t support plugins. However if you can get your OWASP ZAP report into the Generic Issue format you should still be able to include it in your SonarCloud analysis.

 
HTH,
Ann

Thank you very much. Looks like we have to develop a simple converter.

1 Like

Hello Ann,

When you say “should still be able to include it in your SonarCloud analysis” does this mean the results will show up on the dashboard of SonarCloud? If we get the OWASP ZAP report into the Generic Issue format in an S3 bucket can SonarCloud be configured so the it reads the file and then the SonarCloud dashboard would display the results? Is this correct? Would that be under OWASP top 10 then? Trying to understand better. Thank you so much!

Hi @April,

Welcome to the community!

If you imported ZAP results as generic issues, they would show up among your issues, and without anything specific on the project homepage.

To better understand, the easiest thing would probably be to write a quick generic issues file (or even copy the example out of the docs) and see how it shows up once you import it.

 
HTH,
Ann

Hi Ann thank you for your help so far. I had some more questions I didn’t know if you could help me with.

  • Where is the import functionality?
  • Where do we write the location/configuration?
  • How do we import the issue into SonarCloud?

Hi,

Did you check out the docs link I sent earlier? The import functionality is part of analysis. You create the report and provide it to analysis => import.

 
Ann

so, if I’m reading this right, the docs seem to reference an artifact path within the local directory (Test Coverage & Execution | SonarQube Docs). I don’t think SonarCloud runs build steps, so it wouldn’t have access to artifacts (unless it can read S3). Does it run SonarScanner (the Cli) under the hood? (SonarScanner | SonarQube Docs)? Am I supposed to check the result into git because that feels clunky. There doesn’t seem to be an API path to post this to, per commit, which would seem more natural.

I guess, if SonarScanner needs the result of DAST (which I would like to have run afterwards, but I suppose before works), if there were a way to make SonarScanner run the SAST portions at the same time, then wait for the Zap result to finish, that would be great… but that complicates running parallel pipelines. Running both at the same time gets a faster result which is neat. Or, just having the result from Zap reference the same commit and not overwrite the previous SonarCloud report, but just append to it.

Hi @Cameron1 ,

Welcome to the community!

Analysis reads your source code, your reports, and - depending on the language - your build output (e.g. Java .class files). That’s all.

And there’s no way to parallelize SonarQube analysis with your other analyzers and have the output of those analyzers included in your SonarQube analysis. Analysis reads the reports that are available at the time analysis is run; there’s no updating it with late-breaking results.

 
HTH,
Ann