SonarQube plugin plans?

[Jim Sellers]

Hello.

I was wondering if there are any plans to build a SonarQube plugin?

Our teams use this as a central place to look at violations and how to prioritize work.

Thanks for your time,
Jim

[Steve Springett]

Jim,

Yes, there are plans to build a SonarQube plugin. This work has started but a lack of time has prevented me from dedicating any serious time to the effort. 

I believe a more comprehensive solution would be the integration of Dependency Check, ThreadFix, and SonarQube. Using the command line interface or Jenkins plugin, the result from a Dependency Check analysis can be automatically uploaded to ThreadFix. Once in ThreadFix, the findings are aggregated with findings from other tools (along with manual findings). The result is a collection of security defects. It makes more sense to integrate ThreadFix with Sonar, as you'll be able to add additional security tools in a continuous security environment in the future and have the collective results become an overall quality metric.

There are plans to build a SonarQube plugin for ThreadFix. To my knowledge nobody has started this effort, although my employer is seriously considering taking on this effort.

--Steve

--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Jim Sellers]

Hi Steve. 

Short term I would rather get the sonar plugin up and running. The code you started, is it public? Maybe I could put some time against it. 

Jim

You received this message because you are subscribed to a topic in the Google Groups "Dependency Check" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/dependency-check/erTapp2zSs0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to dependency-che...@googlegroups.com.

[Steve Springett]

Jim,

I should be able to revisit the code in the next few weeks and make it repo public.

--Steve

[Steve Springett]

Jim,

The SonarQube plugin is in the works. The code has been posted to https://github.com/stevespringett/dependency-check-sonar-plugin . As soon as it'a nearing completion, the repo will be moved under https://github.com/SonarCommunity/

Please view the README as it’s not currently possible to complete the plugin due to changes in SonarQube 4.2 which prohibit the index of binary files (i.e. third-party components).

—Steve

[Jim Sellers]

Well, that's unfortunate. I've voted on this issue.

The current state of the plugin, what does it do?

Thanks for your work on this.

Jim

[Steve Springett]

Jim,

The plugin is registered when Sonar starts. The Widget is selectable and can be included in the dashboard. The Dependency-Check report is properly parsed via sonar-runner -Dsonar.dependencyCheck.reportPath (similar to how the Sonar Fortify plugin works). When parsing the Dependency-Check XML report, when vulnerabilities are found, the plugin will attempt to create a Sonar issue out of them. However, because the file referenced in the report will be binary, Sonar will not create the issue, so nothing is imported. Because nothing is imported, nothing will be visible in the widget. I haven’t started working much on the widget (it’s mostly just a placeholder).

Basically, the plugin is about 90% complete, yet it doesn’t do anything useful.

Things that need to be done are to change the creation of issues in the plugin to the new API when SonarSource publishes it (thanks for voting by the way). The widget needs to be written. And there may be some tweaking on how the ‘rule’ works. Not much work at all. Just frustrating that I’ve hit this blocking issue.

I’m keeping a watch on this issue. Whenever SonarQube is capable of indexing binaries, I’ll jump back into working on the plugin.

—Steve

[Jeremy Long]

Steve

In the interim could we reference the build artifacts (ie the pom or build.xml)?

Jeremy

[Steve Springett]

We could potentially do this for Java project that have the Sonar XML plugin enabled. But for instances with the plugin disabled, I don’t think it will be possible to reference the build files.

I’ll have to research this a bit and see what I can hack together.

—Steve

[Steve Springett]

The issue has been resolved in the SonarQube trunk and will be included in the upcoming 5.1 release. As soon as an RC of 5.1 is available, I'll revisit the plugin and assuming everything works as expected, complete the Dependency-Check Sonar plugin.

[Steve Springett]

Here's an update on the SonarQube plugin. With the release of 5.1 on April 2nd, it appears that we have everything necessary to complete the plugin.

I've been working on it steadily over the past week and making good progress. Vulnerabilities from the Dependency-Check report are properly being imported into SonarQube. I still have a bit more work to do on this as well as the creation of the dashboard widget. 

Expect more news and an announcement soon.

--Steve