Skip to first unread message
Dominik Kaspar
Apr 11, 2018, 4:04:03 PM4/11/18
to SonarQube
Hi,
In the SonarQube Web UI (6.7.2) I can click on the Rules tab to search for rules. There are various filters and one of them is called 'Repository', which I don't understand. The docs state that a repository is "the engine that contributes rules to SonarQube", which just confuses me even more ;) Can anyone please explain a bit more in detail what a rule repository is?
For example, we have a total of 1897 Java rules.
- 458 come from the Findbugs repository, so I assume they are there because we have sonar-findbugs-plugin-3.6.0.jar installed
- some other repositories I can also directly associate to plugins (e.g., SonarAnalyzer, PMD)
- but some repositories are weird, like 'Common Java' with 6 rules and 'Coverage evolution' with only 1 rule in it
Thanks for any enlightenment!
Cheers,
Dominik
G. Ann Campbell
Apr 12, 2018, 9:09:56 AM4/12/18
to SonarQube
Hi Dominik,
Generally speaking, repositories correspond to analyzer plugins. (Technically, I believe it would be possible for one plugin to declare 2 repositories, but I've never seen that happen.) The 'Common' repository is provided by SonarQube itself and its rules are available in all languages, so you'll see for instance Common Java, Common PHP, Common Language-you-wrote-a-plugin-to-support, and so on. For the 'Coverage evolution' repository, you must have installed some extra plugin that adds that one rule.
HTH,
Ann
Nicolas Bontoux
Apr 12, 2018, 9:18:51 AM4/12/18
to G. Ann Campbell, SonarQube
Hey Dominik,
To complement Ann's answer, check-out the SonarPython case : two repositories (not mentioning the common one), one for rules natively implemented, one for Pylint-integration rules . I tend two think of repositories just as logical entities, grouping rules that deserve to be together.
Nicolas
--
You received this message because you are subscribed to a topic in the Google Groups "SonarQube" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/sonarqube/bb8t4Hge5zU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to sonarqube+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/eee7790d-5d61-4a6a-be56-e33e347ee03b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Nicolas Bontoux | SonarSource
Support Engineer
G. Ann Campbell
Apr 12, 2018, 9:23:15 AM4/12/18
to Nicolas Bontoux, SonarQube
Clearly I haven't paid the attention I should have to SonarPython. :-]
Ann
On Thu, Apr 12, 2018 at 9:18 AM, Nicolas Bontoux <nicolas...@sonarsource.com> wrote:
Hey Dominik,To complement Ann's answer, check-out the SonarPython case : two repositories (not mentioning the common one), one for rules natively implemented, one for Pylint-integration rules . I tend two think of repositories just as logical entities, grouping rules that deserve to be together.Nicolas
On Thu, 12 Apr 2018 at 15:09 G. Ann Campbell <ann.ca...@sonarsource.com> wrote:
Hi Dominik,--Generally speaking, repositories correspond to analyzer plugins. (Technically, I believe it would be possible for one plugin to declare 2 repositories, but I've never seen that happen.) The 'Common' repository is provided by SonarQube itself and its rules are available in all languages, so you'll see for instance Common Java, Common PHP, Common Language-you-wrote-a-plugin-to-support, and so on. For the 'Coverage evolution' repository, you must have installed some extra plugin that adds that one rule.HTH,Ann
On Wednesday, 11 April 2018 16:04:03 UTC-4, Dominik Kaspar wrote:Hi,In the SonarQube Web UI (6.7.2) I can click on the Rules tab to search for rules. There are various filters and one of them is called 'Repository', which I don't understand. The docs state that a repository is "the engine that contributes rules to SonarQube", which just confuses me even more ;) Can anyone please explain a bit more in detail what a rule repository is?For example, we have a total of 1897 Java rules.
- 458 come from the Findbugs repository, so I assume they are there because we have sonar-findbugs-plugin-3.6.0.jar installed
- some other repositories I can also directly associate to plugins (e.g., SonarAnalyzer, PMD)
- but some repositories are weird, like 'Common Java' with 6 rules and 'Coverage evolution' with only 1 rule in it
Thanks for any enlightenment!Cheers,Dominik
You received this message because you are subscribed to a topic in the Google Groups "SonarQube" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/sonarqube/bb8t4Hge5zU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to sonarqube+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/eee7790d-5d61-4a6a-be56-e33e347ee03b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Dominik Kaspar
Apr 13, 2018, 1:33:59 AM4/13/18
to SonarQube
Hi Ann & Nicolas,
Thanks for your explanations.
If I understand correctly, when I install a new plugin then new rules are introduced into my SonarQube instance.
And in each plugin, rules may be grouped into one or multiple repositories... so installing a new plugin adds new repositories (with rules in them).
I was stumbling over the term 'repositories' when trying to figure out why SonarLint does not report all the issues that are part of my project's quality profile.
Is it correct that SonarLint only knows about the rules that are part of the "SonarAnalyzer" and "Common" repositories?
Or in other words, SonarLint never catches any issues that are covered by rules in unknown/non-sonarsource repositories (like Findbugs)?
Our quality profile contains about 25% findbugs rules, so SonarLint misses out on many issues that SonarQube catches... quite confusing >.<
Cheers,
Dominik
To unsubscribe from this group and all its topics, send an email to sonarqube+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/eee7790d-5d61-4a6a-be56-e33e347ee03b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
G. Ann Campbell
Apr 13, 2018, 7:21:31 AM4/13/18
to Dominik Kaspar, SonarQube
Hi Dominik,
Yes, SonarLint whitelists the SonarSource analyzers and only executes those so we can be sure we're able to provide you with a good experience.
Ann
To unsubscribe from this group and all its topics, send an email to sonarqube+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/a5447367-b4cc-464b-abf2-c75ee64acd45%40googlegroups.com.
G. Ann Campbell
Apr 13, 2018, 10:05:28 AM4/13/18
to Dominik Kaspar, SonarQube
Hi Dominik,
Please don't forget to include the group in your replies.
There isn't an "opt-in for a bad experience" :-)
Instead let me flip this around and ask which FindBugs rules you're using, because we've re-implemented many of them.
Ann
On Fri, Apr 13, 2018 at 8:06 AM, Dominik Kaspar <doka...@gmail.com> wrote:
Hi Ann,Is there no SonarLint flag that I can set to opt-in for a bad experience? ;)By mixing official rules from 'Sonar way' with untrusted rules from third-party repositories in our default profile we already decided that we want "a bad experience".Now we get an even worse experience, because SonarLint forces us to have "a good experience"...No matter what "good" or "bad" means... we just expect that SonarLint and SonarQube result in the same experience!IMHO, it does not make sense to allow setting up profiles which are respected by SonarQube but ignored by SonarLint.Cheers,
Dominik
Dominik Kaspar
Apr 16, 2018, 8:24:42 AM4/16/18
to G. Ann Campbell, SonarQube
Hi Ann,
We have recently enabled a lot of security rules from FindBugs (see list below) in our default profile.
If you have re-implemented many of them, it may be our best choice to purely use the 'Sonar way' profile.
Regards,
Dominik
Dominik
PS: list of 83 findbug rules we use and which SonarLint does not report:
Security - A malicious XSLT could be provided
Security - A prepared statement is generated from a nonconstant String
Security - Absolute path traversal in servlet
Security - Bad hexadecimal concatenation
Security - Blowfish usage with short key
Security - Broadcast (Android)
Security - Cipher is susceptible to Padding Oracle
Security - Cipher with no integrity
Security - Cookie without the HttpOnly flag
Security - Cookie without the secure flag
Security - DES/DESede is insecure
Security - ECB mode is insecure
Security - Empty database password
Security - External file access (Android)
Security - FilenameUtils not filtering null bytes
Security - Found JAX-RS REST endpoint
Security - Found JAX-WS SOAP endpoint
Security - Found Spring endpoint
Security - Found Struts 1 endpoint
Security - Found Struts 2 endpoint
Security - Found Tapestry page
Security - Found Wicket WebPage
Security - Hard Coded Key
Security - Hard Coded Password
Security - Hardcoded constant database password
Security - Hazelcast symmetric encryption
Security - HostnameVerifier that accept any signed certificates
Security - HTTP cookie formed from untrusted input
Security - HTTP headers untrusted
Security - HTTP Response splitting vulnerability
Security - MD2, MD4 and MD5 are weak hash functions
Security - Message digest is custom
Security - Nonconstant string passed to execute or addBatch method on an SQL statement
Security - NullCipher is insecure
Security - Object deserialization is used in {1}
Security - Potential code injection in Seam logging call
Security - Potential code injection when using Expression Language (EL)
Security - Potential code injection when using Script Engine
Security - Potential code injection when using Spring Expression
Security - Potential CRLF Injection for logs
Security - Potential external control of configuration
Security - Potential HTTP Response Splitting
Security - Potential JDBC Injection
Security - Potential JDBC Injection (Spring JDBC)
Security - Potential LDAP Injection
Security - Potential Path Traversal (file write)
Security - Potential SQL/HQL Injection (Hibernate)
Security - Potential SQL/JDOQL Injection (JDO)
Security - Potential SQL/JPQL Injection (JPA)
Security - Potential XPath Injection
Security - Potentially sensitive data in a cookie
Security - Predictable pseudorandom number generator
Security - Regex DOS (ReDOS)
Security - Relative path traversal in servlet
Security - RSA usage with short key
Security - RSA with no padding is insecure
Security - Servlet reflected cross site scripting vulnerability
Security - Servlet reflected cross site scripting vulnerability in error page
Security - SHA-1 is a weak hash function
Security - Static IV
Security - Struts Form without input validation
Security - Tainted filename read
Security - Trust Boundary Violation
Security - TrustManager that accept any certificates
Security - Unencrypted Socket
Security - Untrusted Content-Type header
Security - Untrusted Hostname header
Security - Untrusted query string
Security - Untrusted Referer header
Security - Untrusted servlet parameter
Security - Untrusted session cookie value
Security - Untrusted User-Agent header
Security - Unvalidated Redirect
Security - Use of ESAPI Encryptor
Security - WebView with geolocation activated (Android)
Security - WebView with JavaScript enabled (Android)
Security - WebView with JavaScript interface (Android)
Security - World writable file (Android)
Security - XML parsing vulnerable to XXE (DocumentBuilder)
Security - XML parsing vulnerable to XXE (SAXParser)
Security - XML parsing vulnerable to XXE (XMLReader)
Security - XMLDecoder usage
Security - XSSRequestWrapper is a weak XSS protection
G. Ann Campbell
Apr 16, 2018, 9:16:54 AM4/16/18
to Dominik Kaspar, SonarQube
Hi,
Our mapping is by key, rather than by title, but this may help: http://dist.sonarsource.com/reports/coverage/findbugs.html
Ann
Reply all
Reply to author
Forward
0 new messages