Sonar Plugin

[tlope...@gmail.com]

Hey,

I'm feeding ThreadFix Sonar Plugin a XML Report created by OWASP ZAP,

The only information I'm getting in SonarQube from this report is the ThreadFix Total Vulnerabilities, is this normal?

What kind of output should be expected in Sonar from static reports and dynamic reports?

Thanks,
Tiago Lopes.

[tlope...@gmail.com]

and using sonar plugin 2.3 I get this error:

"[ERROR] Failed to execute goal org.sonarsource.scanner.maven:sonar-maven-plugin:3.0.2:sonar (default-cli) on project platform: Error creating bean with name 'getPersistenceExceptionTranslationPostProcessor' defined in class com.denimgroup.threadfix.importer.util.SpringConfiguration: Initialization of bean failed; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'annotationSessionFactoryBean' defined in class com.denimgroup.threadfix.importer.util.SpringConfiguration: Instantiation of bean failed; nested exception is org.springframework.beans.factory.BeanDefinitionStoreException: Factory method [public org.springframework.orm.hibernate3.annotation.AnnotationSessionFactoryBean com.denimgroup.threadfix.importer.util.SpringConfiguration.annotationSessionFactoryBean()] threw exception; nested exception is java.lang.NoClassDefFoundError: javax/persistence/Entity: javax.persistence.Entity "

[Daniel Maldonado]

Tiago,

If you dig into the specific vulnerability there should be a marker (see below) embedded in the source within SonarQube.

Static Report Finding

Static-Dynamic Marker:

Dynamic Finding (has not been merged with a Static Finding)

Dynamic findings that have not been merged to a static findings are associated with a default file which can be configured in your sonar-project.properties.

Daniel Maldonado

[Daniel Maldonado]

Tiago,

What version of SonarQube/Sonar Runner are you using? Did the plugin in work prior to ThreadFix 2.3?

Thanks,

Daniel Maldonado

[tlope...@gmail.com]

I'm using SonarQube 5.5 and Sonar Scanner 2.6.1,

with this setup Sonar Plugin 2.2 (downloaded from your website) works, but finds 0 issues using the ThreadFix profile and
findings imported from a XML report only appear in the Measures menu as "ThreadFix Total Vulnerabilities", no further information is provided.

Using Sonar Plugin 2.2 (downloaded from ThreadFix 2.2.7.2 CE) I get the ERROR mentioned above and the same applies for the version 2.3.

[Daniel Maldonado]

Tiago,

Thanks for the additional information. We will do some digging and get back to you.

Daniel M

[tlope...@gmail.com]

Any news?

Is it my configuration or perhaps the setup (versions installed)?

If possible please share a test project for me to run.

Thanks.

[Daniel Maldonado]

Tiago,

It might be a configuration problem. To confirm, are you running the plugin in Local Mode? When you switch plugins are you removing the previous plugin completely? When switching/installing plugins have you restarted SonarQube?

Below is a list of compositions you have tried and their results, does everything look correct?

ThreadFix 2.3 / Sonar Plugin 2.3 / SonarQube 5.5 / SonarRunner 2.6.1 -> maven error

ThreadFix 2.3 / Sonar Plugin 2.2 (Downloaded from TF) / SonarQube 5.5 / SonarRunner 2.6.1 -> works, with no results [NOT RECOMMENDED]

ThreadFix 2.2.7.2 / Sonar Plugin 2.2 (Downloaded from TF) / SonarQube 5.5 / SonarRunner 2.6.1 -> maven error

ThreadFix 2.3 / Sonar Plugin 2.2 (Downloaded from Web) / SonarQub 5.5 / SonarRunner 2.6.1 -> works, with no results [NOT RECOMMENDED]

ThreadFix 2.2.7.2 / Sonar Plugin 2.2 (Downloaded from Web) / SonarQub 5.5 / SonarRunner 2.6.1 -> works, with no results

I recommend staying on ThreadFix 2.3 and the latest Sonar Plugin downloaded from ThreadFix 2.3 while troubleshooting. 

That being said, we've logged this as an issue to investigate. Unfortunately, our enterprise clients have to come first, so we have not yet had an opportunity to dig further into the issue.

We are in the final testing phase for our 2.4 enterprise release due end of June, after which we should be able to provide more insight into this.

I appreciate your patience,

Daniel M

[tlope...@gmail.com]

Hey, gave it a few more tries today,

Changes:
Updated SonarQube to 5.6
Testing project: WebGoat(-develop)
https://github.com/WebGoat/WebGoat

Feeding Sonar Plugin with ZAP scan of Webgoat on the following setup:
ThreadFix 2.3 / Sonar Plugin 2.3 / SonarQube 5.6 / SonarRunner 2.6.1
-> maven error persists

Log(Jenkins, SonarQube and ThreadFix Plugin): http://pastebin.com/j6pJyit5

_________________________________________________________________________

Feeding Sonar Plugin with ZAP and AppScan Source scan of Webgoat on the following setup:
ThreadFix 2.3 / Sonar Plugin 2.2 (Downloaded from Web) / SonarQube 5.6 / SonarRunner 2.6.1

-> works, with no results[NOT RECOMMENDED]

Even thought there's 104 ThreadFix Total Vulnerabilities no new issues were created.

Log(Jenkins, SonarQube and ThreadFix Plugin): http://pastebin.com/FtEHtDUP

No progress was made.

[tlope...@gmail.com]

On Thursday, May 26, 2016 at 12:23:19 AM UTC+1, Daniel Maldonado wrote:
> Tiago,
>
>
>
> It might be a configuration problem. To confirm, are you running the plugin in Local Mode? When you switch plugins are you removing the previous plugin completely? When switching/installing plugins have you restarted SonarQube?
>
>
> Below is a list of compositions you have tried and their results, does everything look correct?

Yes to everything, running local mode using maven project with maven setup, I remove it completely and restart.

The list is correct.

[Robert Curcio]

I'm getting 0 , so I must be doing something wrong.