OWASP - User contributions [en]

OWASP SonarQube Project

2018-10-29T23:20:14Z

VinodA: /* Main */

OWASP SonarQube Project

2018-10-29T23:19:21Z

VinodA: /* Main */

Projects/OWASP SonarQube Page

2018-10-28T21:12:00Z

VinodA: LGPL v3

{{Template:Project About
| project_name =OWASP SonarQube Project
| project_description =The OWASP SonarQube project aims to provide open source SAST using the existing open source solutions. SonarQube is one of the world’s most popular continuous code quality tools and it's actively used by many developers and companies.
This project aims to enable more security functionalities to SonarQube and use it as an SAST. This project will use open source sonar plugins, rules, as well as other open source plugins especially FindSecBugs and its security rules. FindSecBugs enables the taint analysis.
| project_license =LGPL v3
| leader_name1 = Vinod Anandan
| leader_email1 =vinod@owasp.org
| leader_username1 =
| mailing_list_name = owasp_sonarqube@lists.owasp.org
}}

OWASP SonarQube Project

2018-10-28T21:10:52Z

VinodA: /* Main */ LGPL v3

OWASP SonarQube Project

2018-09-18T14:45:24Z

VinodA:

Source Code Analysis Tools

2017-08-31T16:24:18Z

VinodA: OWASP SonarQube Project

Source code analysis tools, also referred to as Static Application Security Testing (SAST) Tools, are designed to analyze source code and/or compiled versions of code to help find security flaws. Ideally, such tools would automatically find security flaws with such a high degree of confidence that what's found is indeed a flaw. However, this is beyond the state of the art for many types of application security flaws. Thus, such tools frequently serve as aids for an analyst to help them zero in on security relevant portions of code so they can find flaws more efficiently, rather than a tool that just automatically finds flaws. If you are interested in the effectiveness of SAST tools, check out the OWASP [[Benchmark]] project, which is scientifically measuring the effectiveness of all types of vulnerability detection tools, including SAST.

Some tools are starting to move into the IDE. For the types of problems that can be detected during the software development phase itself, this is a powerful phase within the development life cycle to employ such tools, as it provides immediate feedback to the developer on issues they might be introducing into the code during code development itself. This immediate feedback is very useful, especially when compared to finding vulnerabilities much later in the development cycle.

== Strengths and Weaknesses ==

=== Strengths ===

* Scales well -- can be run on lots of software, and can be run repeatedly (as with nightly builds or continuous integration)
* Useful for things that such tools can automatically find with high confidence, such as buffer overflows, SQL Injection Flaws, and so forth
* Output is good for developers -- highlights the precise source files, line numbers, and even subsections of lines that are affected

=== Weaknesses ===

* Many types of security vulnerabilities are very difficult to find automatically, such as authentication problems, access control issues, insecure use of cryptography, etc. The current state of the art only allows such tools to automatically find a relatively small percentage of application security flaws. However, tools of this type are getting better.
* High numbers of false positives.
* Frequently can't find configuration issues, since they are not represented in the code.
* Difficult to 'prove' that an identified security issue is an actual vulnerability.
* Many of these tools have difficulty analyzing code that can't be compiled. Analysts frequently can't compile code because they don't have the right libraries, all the compilation instructions, all the code, etc.

==Important Selection Criteria==

* Requirement: Must support your programming language, but not usually a key factor once it does.
* Types of vulnerabilities it can detect (out of the [[OWASP Top Ten]]?) (plus more?)
* How accurate is it? False Positive/False Negative rates?
** Does the tool have an OWASP [[Benchmark]] score?
* Does it understand the libraries/frameworks you use?
* Does it require a fully buildable set of source?
* Can it run against binaries instead of source?
* Can it be integrated into the developer's IDE?
* How hard is it to setup/use?
* Can it be run continuously and automatically?
* License cost for the tool. (Some are sold per user, per org, per app, per line of code analyzed. Consulting licenses are frequently different than end user licenses.)

==OWASP Tools Of This Type==

* [[OWASP SonarQube Project]]
* [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project OWASP Orizon Project]
* [[OWASP_LAPSE_Project | OWASP LAPSE Project]]
* [[OWASP O2 Platform]]
* [[OWASP WAP-Web Application Protection]]

==Disclaimer==

Disclaimer: <b>The tools listed in the tables below are presented in alphabetical order. <i>OWASP does not endorse any of the vendors or tools by listing them in the table below.</i> We have made every effort to provide this information as accurately as possible. If you are the vendor of a tool below and think that this information is incomplete or incorrect, please send an e-mail to our mailing list and we will make every effort to correct this information.</b>

==Open Source or Free Tools Of This Type==

* [https://wiki.openstack.org/wiki/Security/Projects/Bandit Bandit] - bandit is a comprehensive source vulnerability scanner for Python
* [http://brakemanscanner.org/ Brakeman] - Brakeman is an open source vulnerability scanner specifically designed for Ruby on Rails applications
* [http://rubygems.org/gems/codesake-dawn Codesake Dawn] - Codesake Dawn is an open source security source code analyzer designed for Sinatra, Padrino for Ruby on Rails applications. It also works on non-web applications written in Ruby
* [http://findbugs.sourceforge.net/ FindBugs] - Find Bugs (including a few security flaws) in Java programs
* [https://find-sec-bugs.github.io/ FindSecBugs] - A security specific plugin for FingBugs that significantly improves FindBug's ability to find security vulnerabilities in Java programs
* [http://www.dwheeler.com/flawfinder/ Flawfinder] Flawfinder - Scans C and C++
* [https://www.bishopfox.com/resources/tools/google-hacking-diggity/attack-tools/ Google CodeSearchDiggity] - Uses Google Code Search to identifies vulnerabilities in open source code projects hosted by Google Code, MS CodePlex, SourceForge, Github, and more. The tool comes with over 130 default searches that identify SQL injection, cross-site scripting (XSS), insecure remote and local file includes, hard-coded passwords, and much more. ''Essentially, Google CodeSearchDiggity provides a source code security analysis of nearly every single open source code project in existence – simultaneously.''
* [http://pmd.sourceforge.net/ PMD] - PMD scans Java source code and looks for potential code problems (this is a code quality tool that does not focus on security issues)
* [http://msdn.microsoft.com/en-us/library/ms933794.aspx PreFast] (Microsoft) - PREfast is a static analysis tool that identifies defects in C/C++ programs. Last update 2006.
* [https://pumascan.com/ Puma Scan] - Puma Scan is a .NET C# open source static source code analyzer that runs as an IDE plugin for Visual Studio and via MSBuild in CI pipelines.
* [https://dotnet-security-guard.github.io/ .NET Security Guard] - Roslyn analyzers that aim to help security audits on .NET applications. It will find SQL injections, LDAP injections, XXE, cryptography weakness, XSS and more.
* [http://sourceforge.net/projects/rips-scanner/ RIPS] - RIPS is a static source code analyzer for vulnerabilities in PHP web applications. Please see notes on the sourceforge.net site.
* [https://github.com/FloeDesignTechnologies/phpcs-security-audit phpcs-security-audit] - phpcs-security-audit is a set of PHP_CodeSniffer rules that finds flaws or weaknesses related to security in PHP and its popular CMS or frameworks. It currently has core PHP rules as well as Drupal 7 specific rules.
* [http://www.sonarqube.org/ SonarQube] - Scans source code for more than 20 languages for Bugs, Vulnerabilities, and Code Smells. SonarQube IDE plugins for Eclipse, Visual Studio, and IntelliJ provided by [http://www.sonarlint.org/ SonarLint].
* [http://sourceforge.net/projects/visualcodegrepp/ VisualCodeGrepper (VCG)] - Scans C/C++, C#, VB, PHP, Java, and PL/SQL for security issues and for comments which may indicate defective code. The config files can be used to carry out additional checks for banned functions or functions which commonly cause security issues.
* [http://www.xanitizer.net Xanitizer] - Scans Java for security vulnerabilities, mainly via taint analysis. The tool comes with a number of predefined vulnerability detectors which can additionally be extended by the user.

==Commercial Tools Of This Type==

* [http://www-01.ibm.com/software/rational/products/appscan/source/ AppScan Source] (IBM)
* [http://www.blueclosure.com BlueClosure BC Detect] (BlueClosure)
* [https://buguroo.com/products/bugblast-next-gen-appsec-platform/bugscout-sca bugScout] (Buguroo Offensive Security) Latest generation source code analysis tool bugScout detects source code vulnerabilities and makes possible an accurate management of the life cycles due to its easy use.
* [http://www.castsoftware.com/solutions/application-security/cwe#SupportedSecurityStandards CAST AIP] (CAST) Performs static and architectural analysis to check for: SQL Injection, Cross Site Scripting (XSS), Input Validation, Insecure Cryptographic Storage, Information Leakage and Improper Error Handling, Data Access, API Abuse, Encapsulation on over 30 languages.
* [https://www.codacy.com/ Codacy] is free for open source projects, and integrates with tools such as Brakeman, Bandit, FindBugs, and a number of others. It offers security patterns for languages such as Python, Ruby, Scala, Java, Javascript and more.
* [http://www.contrastsecurity.com/ Contrast from Contrast Security] Contrast performs code security without actually doing static analysis. Contrast does Interactive Application Security Testing (IAST), correlating runtime code & data analysis. It provides code level results without actually relying on static analysis.
* [http://www.coverity.com/products/code-advisor/ Coverity Code Advisor] (Synopsys)
* [https://www.checkmarx.com/technology/static-code-analysis-sca/ CxSAST] (Checkmarx)
* [http://www8.hp.com/us/en/software-solutions/static-code-analysis-sast/ Fortify] (HP)
* [http://www.juliasoft.com/solutions Julia] - SaaS Java static analysis (JuliaSoft)
* [http://www.klocwork.com/capabilities/static-code-analysis KlocWork] (KlocWork)
* [https://www.kiuwan.com/code-analysis/ Kiuwan] - SaaS Software Quality & Security Analysis (an [http://www.optimyth.com Optimyth] company)
* [http://www.parasoft.com/jsp/capabilities/static_analysis.jsp?itemId=547 Parasoft Test] (Parasoft)
* [http://www.viva64.com/en/ PVS-Studio] (PVS-Studio) For C/C++, C#
* [https://www.whitehatsec.com/products/static-application-security-testing/ Sentinel Source] (Whitehat)
* [https://www.synopsys.com/software-integrity/products/interactive-application-security-testing.html Seeker] (Synopsys) Seeker performs code security without actually doing static analysis. Seeker does Interactive Application Security Testing (IAST), correlating runtime code & data analysis with simulated attacks. It provides code level results without actually relying on static analysis.
* [http://www.sourcepatrol.co.uk/ Source Patrol] (Pentest)
* [http://www.veracode.com/products/binary-static-analysis-sast Veracode Static Analysis] (Veracode)

==More info==

* [[Appendix_A:_Testing_Tools | Appendix A: Testing Tools]]
* [http://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html NIST's list of Source Code Security Analysis Tools]
* [[:Category:Vulnerability_Scanning_Tools | DAST Tools]] - Similar info on Dynamic Application Security Testing (DAST) Tools

[[Category:OWASP .NET Project]]
[[Category:SAMM-CR-2]]
__NOTOC__

Projects/OWASP SonarQube Page

2017-08-21T06:58:53Z

VinodA:

{{Template:Project About
| project_name =OWASP SonarQube Project
| project_description =The OWASP SonarQube project aims to provide open source SAST using the existing open source solutions. SonarQube is one of the world’s most popular continuous code quality tools and it's actively used by many developers and companies.
This project aims to enable more security functionalities to SonarQube and use it as an SAST. This project will use open source sonar plugins, rules, as well as other open source plugins especially FindSecBugs and its security rules. FindSecBugs enables the taint analysis.
| project_license =Apache 2.0 license
| leader_name1 = Vinod Anandan
| leader_email1 =vinod@owasp.org
| leader_username1 =
| mailing_list_name = owasp_sonarqube@lists.owasp.org
}}

OWASP SonarQube Project

2017-08-18T11:35:06Z

VinodA:

OWASP SonarQube Project

2017-08-09T21:52:21Z

VinodA:

OWASP SonarQube Project

2017-08-09T21:36:48Z

VinodA:

OWASP SonarQube Project

2017-08-07T22:05:04Z

VinodA:

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

'''NOTE:''' If you are interested in contributing to open source static vulnerability analysis for Java, OWASP recommends you contribute to the [http://find-sec-bugs.github.io/ Find Security Bugs Project] run by Philippe Arteau. FindSecBugs is a FindBugs plugin. Philippe also runs the [https://github.com/SonarQubeCommunity/sonar-findbugs SonarQube FindBugs Plugin Project], which bundles both FindBugs and FindSecBugs into a plugin that can be used with SonarQube and in fact comes bundled with SonarQube by default. So, by contributing to the Find Security Bugs project, you are helping both the Find Bugs and SonarQube user communities at the same time.

----

==About SonarQube==

[http://www.sonarqube.org SonarQube] is an Open Source platform for managing code quality. This platform can be extended with Open Source or commercial plugins, see for instance the [http://redirect.sonarsource.com/plugins/java.html Java], [http://redirect.sonarsource.com/plugins/javascript.html JavaScript], [http://redirect.sonarsource.com/plugins/php.html PHP] and [http://redirect.sonarsource.com/plugins/csharp.html C#] plugins.

==Licensing==
OWASP SonarQube Project is free to use. It is licensed under the [http://www.apache.org/licenses/LICENSE-2.0 Apache 2.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

| valign="top" style="padding-left:25px;width:200px;" |

== Project Leader ==

[mailto:vinod@owasp.org Vinod Anandan]

== Email List ==

[https://lists.owasp.org/mailman/listinfo/owasp_sonarqube Sign Up!]

[http://lists.owasp.org/pipermail/owasp_sonarqube/ Archives]

== Repository ==
Here are the repositories for the open source plugins related to this project. Most of them provide security-related rules:
* [https://github.com/SonarSource/sonar-java Java]
* [https://github.com/SonarCommunity/sonar-javascript JavaScript]
* [https://github.com/SonarCommunity/sonar-php PHP]
* [https://github.com/SonarSource/sonar-dotnet-codeanalysis C#]
* [https://github.com/SonarCommunity/sonar-widget-lab Widget Lab] provides security-related SonarQube dashboard widgets

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

=FAQs=

; How to help ?

= Acknowledgements =

== Sponsors : ==

=Project About=

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

OWASP SonarQube Project

2017-08-07T22:03:50Z

VinodA:

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

'''NOTE:''' If you are interested in contributing to open source static vulnerability analysis for Java, OWASP recommends you contribute to the [http://find-sec-bugs.github.io/ Find Security Bugs Project] run by Philippe Arteau. FindSecBugs is a FindBugs plugin. Philippe also runs the [https://github.com/SonarQubeCommunity/sonar-findbugs SonarQube FindBugs Plugin Project], which bundles both FindBugs and FindSecBugs into a plugin that can be used with SonarQube and in fact comes bundled with SonarQube by default. So, by contributing to the Find Security Bugs project, you are helping both the Find Bugs and SonarQube user communities at the same time.

----

The "News" is updated as soon as :
* A check specification is created
* A SonarQube analysers containing some stuff relating to this OWASP SonarQube project is released.

==About SonarQube==

[http://www.sonarqube.org SonarQube] is an Open Source platform for managing code quality. This platform can be extended with Open Source or commercial plugins, see for instance the [http://redirect.sonarsource.com/plugins/java.html Java], [http://redirect.sonarsource.com/plugins/javascript.html JavaScript], [http://redirect.sonarsource.com/plugins/php.html PHP] and [http://redirect.sonarsource.com/plugins/csharp.html C#] plugins.

==Licensing==
OWASP SonarQube Project is free to use. It is licensed under the [http://www.apache.org/licenses/LICENSE-2.0 Apache 2.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

| valign="top" style="padding-left:25px;width:200px;" |

== Project Leader ==

[mailto:vinod@owasp.org Vinod Anandan]

== Email List ==

[https://lists.owasp.org/mailman/listinfo/owasp_sonarqube Sign Up!]

[http://lists.owasp.org/pipermail/owasp_sonarqube/ Archives]

== Repository ==
Here are the repositories for the open source plugins related to this project. Most of them provide security-related rules:
* [https://github.com/SonarSource/sonar-java Java]
* [https://github.com/SonarCommunity/sonar-javascript JavaScript]
* [https://github.com/SonarCommunity/sonar-php PHP]
* [https://github.com/SonarSource/sonar-dotnet-codeanalysis C#]
* [https://github.com/SonarCommunity/sonar-widget-lab Widget Lab] provides security-related SonarQube dashboard widgets

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

=FAQs=

; How to help ?

= Acknowledgements =

== Sponsors : ==

=Project About=

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

OWASP SonarQube Project

2017-08-07T22:02:34Z

VinodA:

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

'''NOTE:''' If you are interested in contributing to open source static vulnerability analysis for Java, OWASP recommends you contribute to the [http://find-sec-bugs.github.io/ Find Security Bugs Project] run by Philippe Arteau. FindSecBugs is a FindBugs plugin. Philippe also runs the [https://github.com/SonarQubeCommunity/sonar-findbugs SonarQube FindBugs Plugin Project], which bundles both FindBugs and FindSecBugs into a plugin that can be used with SonarQube and in fact comes bundled with SonarQube by default. So, by contributing to the Find Security Bugs project, you are helping both the Find Bugs and SonarQube user communities at the same time.

----

The "News" is updated as soon as :
* A check specification is created
* A SonarQube analysers containing some stuff relating to this OWASP SonarQube project is released.

==About SonarQube==

[http://www.sonarqube.org SonarQube] is an Open Source platform for managing code quality. This platform can be extended with Open Source or commercial plugins, see for instance the [http://redirect.sonarsource.com/plugins/java.html Java], [http://redirect.sonarsource.com/plugins/javascript.html JavaScript], [http://redirect.sonarsource.com/plugins/php.html PHP] and [http://redirect.sonarsource.com/plugins/csharp.html C#] plugins.

==Licensing==
OWASP SonarQube Project is free to use. It is licensed under the [http://www.apache.org/licenses/LICENSE-2.0 Apache 2.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

| valign="top" style="padding-left:25px;width:200px;" |

== Project Leader ==

[mailto:vinod@owasp.org Vinod Anandan]

== Email List ==

[https://lists.owasp.org/mailman/listinfo/owasp_sonarqube Sign Up!]

[http://lists.owasp.org/pipermail/owasp_sonarqube/ Archives]

== Repository ==
Here are the repositories for the open source plugins related to this project. Most of them provide security-related rules:
* [https://github.com/SonarSource/sonar-java Java]
* [https://github.com/SonarCommunity/sonar-javascript JavaScript]
* [https://github.com/SonarCommunity/sonar-php PHP]
* [https://github.com/SonarSource/sonar-dotnet-codeanalysis C#]
* [https://github.com/SonarCommunity/sonar-widget-lab Widget Lab] provides security-related SonarQube dashboard widgets

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

=FAQs=

; How to help ?

= Acknowledgements =

== Sponsors : ==

=Project About=
{{:Projects/OWASP_SonarQube_Page}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

OWASP SonarQube Project

2017-08-07T22:01:18Z

VinodA:

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

'''NOTE:''' If you are interested in contributing to open source static vulnerability analysis for Java, OWASP recommends you contribute to the [http://find-sec-bugs.github.io/ Find Security Bugs Project] run by Philippe Arteau. FindSecBugs is a FindBugs plugin. Philippe also runs the [https://github.com/SonarQubeCommunity/sonar-findbugs SonarQube FindBugs Plugin Project], which bundles both FindBugs and FindSecBugs into a plugin that can be used with SonarQube and in fact comes bundled with SonarQube by default. So, by contributing to the Find Security Bugs project, you are helping both the Find Bugs and SonarQube user communities at the same time.

----

Historical Info:

....

Any contributor is highly welcome to participate to this community effort and participating is pretty easy:
* Each idea of a new potential valuable check should be sent to this [https://groups.google.com/forum/#!forum/sonarqube project mailing list].
* Then some discussions might start to challenge the idea
* At the end of discussions, a specification of the check is created in the following JIRA project by one of the leader of this project : [http://jira.sonarsource.com/issues/?jql=project%20%3D%20RSPEC%20AND%20issuetype%20%3D%20Specification%20AND%20labels%20%3D%20owasp-top10 http://jira.sonarsource.com/browse/RSPEC].
* To suggest a rule, send as much as possible from the following list:
** description - What should be done/not done, and why
** noncompliant code example in the language of your choice
** remediation action - This can be as simple as "Don't do X."

The "News" is updated as soon as :
* A check specification is created
* A SonarQube analysers containing some stuff relating to this OWASP SonarQube project is released.

==About SonarQube==

[http://www.sonarqube.org SonarQube] is an Open Source platform for managing code quality. This platform can be extended with Open Source or commercial plugins, see for instance the [http://redirect.sonarsource.com/plugins/java.html Java], [http://redirect.sonarsource.com/plugins/javascript.html JavaScript], [http://redirect.sonarsource.com/plugins/php.html PHP] and [http://redirect.sonarsource.com/plugins/csharp.html C#] plugins.

==Licensing==
OWASP SonarQube Project is free to use. It is licensed under the [http://www.apache.org/licenses/LICENSE-2.0 Apache 2.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

| valign="top" style="padding-left:25px;width:200px;" |

== Project Leader ==

[mailto:vinod@owasp.org Vinod Anandan]

== Email List ==

[https://lists.owasp.org/mailman/listinfo/owasp_sonarqube Sign Up!]

[http://lists.owasp.org/pipermail/owasp_sonarqube/ Archives]

== Repository ==
Here are the repositories for the open source plugins related to this project. Most of them provide security-related rules:
* [https://github.com/SonarSource/sonar-java Java]
* [https://github.com/SonarCommunity/sonar-javascript JavaScript]
* [https://github.com/SonarCommunity/sonar-php PHP]
* [https://github.com/SonarSource/sonar-dotnet-codeanalysis C#]
* [https://github.com/SonarCommunity/sonar-widget-lab Widget Lab] provides security-related SonarQube dashboard widgets

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

=FAQs=

; How to help ?

= Acknowledgements =

== Sponsors : ==

=Project About=
{{:Projects/OWASP_SonarQube_Page}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

OWASP SonarQube Project

2017-08-07T14:29:13Z

VinodA: New project leader

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[Image:OWASP Inactive Banner.jpg|800px| link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Inactive_Projects]] </div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

'''NOTE:''' If you are interested in contributing to open source static vulnerability analysis for Java, OWASP recommends you contribute to the [http://find-sec-bugs.github.io/ Find Security Bugs Project] run by Philippe Arteau. FindSecBugs is a FindBugs plugin. Philippe also runs the [https://github.com/SonarQubeCommunity/sonar-findbugs SonarQube FindBugs Plugin Project], which bundles both FindBugs and FindSecBugs into a plugin that can be used with SonarQube and in fact comes bundled with SonarQube by default. So, by contributing to the Find Security Bugs project, you are helping both the Find Bugs and SonarQube user communities at the same time.

----

Historical Info:

The first goal of the OWASP SonarQube Project is to a create a referential of check specifications targeting OWASP vulnerabilities and that can be detected by SAST tools (Static Application Security Testing). From there, the second goal is to provide a reference implementations of most of those checks in the Open Source SonarQube language analysers (Java, JavaScript, PHP and C#).

Any contributor is highly welcome to participate to this community effort and participating is pretty easy:
* Each idea of a new potential valuable check should be sent to this [https://groups.google.com/forum/#!forum/sonarqube project mailing list].
* Then some discussions might start to challenge the idea
* At the end of discussions, a specification of the check is created in the following JIRA project by one of the leader of this project : [http://jira.sonarsource.com/issues/?jql=project%20%3D%20RSPEC%20AND%20issuetype%20%3D%20Specification%20AND%20labels%20%3D%20owasp-top10 http://jira.sonarsource.com/browse/RSPEC].
* To suggest a rule, send as much as possible from the following list:
** description - What should be done/not done, and why
** noncompliant code example in the language of your choice
** remediation action - This can be as simple as "Don't do X."

The "News" is updated as soon as :
* A check specification is created
* A SonarQube analysers containing some stuff relating to this OWASP SonarQube project is released.

==About SonarQube==

[http://www.sonarqube.org SonarQube] is an Open Source platform for managing code quality. This platform can be extended with Open Source or commercial plugins, see for instance the [http://redirect.sonarsource.com/plugins/java.html Java], [http://redirect.sonarsource.com/plugins/javascript.html JavaScript], [http://redirect.sonarsource.com/plugins/php.html PHP] and [http://redirect.sonarsource.com/plugins/csharp.html C#] plugins.

==Licensing==
OWASP SonarQube Project is free to use. It is licensed under the [http://www.apache.org/licenses/LICENSE-2.0 Apache 2.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

| valign="top" style="padding-left:25px;width:200px;" |

== Project Leader ==

[mailto:vinod@owasp.org Vinod Anandan]

== Email List ==

[https://lists.owasp.org/mailman/listinfo/owasp_sonarqube Sign Up!]

[http://lists.owasp.org/pipermail/owasp_sonarqube/ Archives]

== Repository ==
Here are the repositories for the open source plugins related to this project. Most of them provide security-related rules:
* [https://github.com/SonarSource/sonar-java Java]
* [https://github.com/SonarCommunity/sonar-javascript JavaScript]
* [https://github.com/SonarCommunity/sonar-php PHP]
* [https://github.com/SonarSource/sonar-dotnet-codeanalysis C#]
* [https://github.com/SonarCommunity/sonar-widget-lab Widget Lab] provides security-related SonarQube dashboard widgets

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= News =
* 26 Mar 2016: Release of the [https://jira.sonarsource.com/jira/secure/ReleaseNote.jspa?projectId=10935&version=12970 SonarQube C# plugin version 5.0] adds four new bug and security-related rules:
** [http://www.sonarlint.org/visualstudio/rules/index.html#version=1.9.0&ruleId=S1944 S1944] Inappropriate casts should not be made
** [http://www.sonarlint.org/visualstudio/rules/index.html#version=1.9.0&ruleId=S3466 S3466] Optional parameters should be passed to "base" calls
** [http://www.sonarlint.org/visualstudio/rules/index.html#version=1.9.0&ruleId=S3449 S3449] Right operands of shift operators should be integers
** [http://www.sonarlint.org/visualstudio/rules/index.html#version=1.8.0&ruleId=S2184 S2184] Result of integer division should not be assigned to floating point variable

* 25 Mar 2016: Release of the [https://jira.sonarsource.com/jira/secure/ReleaseNote.jspa?projectId=10973&version=12948 SonarQube Java plugin version 3.12] adds three new bug and security-related rules:
** [https://nemo.sonarqube.org/coding_rules#rule_key=squid%3AS3066 S3066] "enum" fields should not be publicly mutable
** [https://nemo.sonarqube.org/coding_rules#rule_key=squid%3AS3034 S3034] Raw byte values should not be used in bitwise operations in combination with shifts
** [https://nemo.sonarqube.org/coding_rules#rule_key=squid%3AS3546 S3546] Resources as defined by user should be closed
This last is actually a rule template, which will allow users to raise issues appropriately on their custom Resources.

* 6 Feb 2016: Release of the [https://jira.sonarsource.com/jira/secure/ReleaseNote.jspa?projectId=10973&version=12876 SonarQube Java plugin version 3.10] adds seven new bug and security-related rules:
** [https://nemo.sonarqube.org/coding_rules#rule_key=squid%3AS2142 S2142] "InterruptedException" should not be ignored
** [https://nemo.sonarqube.org/coding_rules#rule_key=squid%3AS3438 S3438] "SingleConnectionFactory" instances should be set to "reconnectOnException"
** [https://nemo.sonarqube.org/coding_rules#rule_key=squid%3AS3281 S3281] Default EJB interceptors should be declared in "ejb-jar.xml"
** [https://nemo.sonarqube.org/coding_rules#rule_key=squid%3AS2639 S2639] Inappropriate regular expressions should not be used
** [https://nemo.sonarqube.org/coding_rules#rule_key=squid%3AS3369 S3369] Security constraints should be defired
** [https://nemo.sonarqube.org/coding_rules#rule_key=squid%3AS3374 S3374] Struts validation forms should have unique names
** [https://nemo.sonarqube.org/coding_rules#rule_key=squid%3AS3355 S3355] Web applications should use validation filters

* 13 Jan 2016: Release of the [https://jira.sonarsource.com/jira/secure/ReleaseNote.jspa?projectId=10933&version=12847 SonarQube JavaScript plugin version 2.10] adds four new bug detection rules:
** [https://jira.sonarsource.com/browse/RSPEC-2234 RSPEC-2234] Parameters should be passed in the correct order]
** [https://jira.sonarsource.com/browse/RSPEC-3001 RSPEC-3001] "delete"should be used only with objects
** [https://jira.sonarsource.com/browse/RSPEC-2681 RSPEC-2681] Multiline blocks should be enclosed in curly braces
** [https://jira.sonarsource.com/browse/RSPEC-3403 RSPEC-3403] The identity operator ("===") should not be used with dissimilar types

* 12 Nov 2015: Release of the [https://jira.sonarsource.com/secure/ReleaseNote.jspa?projectId=10956&version=12425 SonarQube PHP plugin version 2.7] adds three new bug detection rules.

* 7 Oct 2015: Release of the [https://jira.sonarsource.com/jira/secure/ReleaseNote.jspa?projectId=10973&version=12521 SonarQube Java plugin version 3.6] adds 14 new rules including four related to CWE or security:
** [https://jira.sonarsource.com/browse/RSPEC-2653 RSPEC-2653] Web applications should have a "main" method
** [https://jira.sonarsource.com/browse/RSPEC-2221 RSPEC-2221] "Exception" should not be caught when not required by called methods
** [https://jira.sonarsource.com/browse/RSPEC-3318 RSPEC-3318] Untrusted data should not be stored in sessions
** [https://jira.sonarsource.com/browse/RSPEC-1854 RSPEC-1845] Dead stores should be removed

* 2 Sept 2015: Release of [http://www.sonarsource.com/2015/09/02/sonarqube-javascript-2-8-released/ the SonarQube JavaScript plugin version 2.8] improves several rules and adds 5 new rules, all related to bugs or security, including:
** [https://jira.sonarsource.com/browse/RSPEC-905 RSPEC-905] Non-empty statements should change control flow or have at least one side effect
** [https://jira.sonarsource.com/browse/RSPEC-3271 RSPEC-3271] Local storage should not be used
** [https://jira.sonarsource.com/browse/RSPEC-2611 RSPEC-2611] Untrusted content should not be included

* 25 Aug 2015: Release of [http://www.sonarsource.com/2015/08/25/sonarqube-java-3-5-released/ the SonarQube Java plugin version 3.5] improves a number of existing rules, and adds 6 new rules, including 2 security-related rules:
** [https://jira.sonarsource.com/browse/RSPEC-2658 RSPEC-2384] Classes should not be loaded dynamically
** [https://jira.sonarsource.com/browse/RSPEC-2386 RSPEC-2386] Mutable fields should not be "public static"

* 9 July 2015: Release of [http://www.sonarsource.com/2015/07/08/sonarqube-java-3-4-released/ the SonarQube Java plugin version 3.4] adds 17 new rules, including 2 security-related rules:
** [http://jira.sonarsource.com/browse/RSPEC-2384 RSPEC-2384] Mutable members should not be stored or returned directly
** [http://jira.sonarsource.com/browse/RSPEC-2976 RSPEC-2976] "File.createTempFile" should not be used to create a directory

* 1 July 2015: Release of [http://www.sonarsource.com/2015/06/30/sonarqube-javascript-2-7-released/ the SonarQube JavaScript plugin version 2.7] adds 6 new rules, including 2 bug-related rules, 1 CWE-related rule, and 2 rules directly related to security
** [http://jira.sonarsource.com/browse/RSPEC-930 RSPEC-930] The number of arguments passed to a function shall match the number of parameters
** [http://jira.sonarsource.com/browse/RSPEC-2819 RSPEC-2819] Cross-document messaging domains should be carefully restricted
** [http://jira.sonarsource.com/browse/RSPEC-2817 RSPEC-2817] Web SQL databases shoudl not be used

* 9 June 2015: Release of [http://www.sonarsource.com/2015/06/08/sonarqube-php-2-6-released/ the SonarQube PHP plugin version 2.6] adds 5 new rules, including 1 CWE-related rule:
** [http://jira.sonarsource.com/browse/RSPEC-2068 RSPEC-2068] Credentials should not be hard-coded

* 19 May 2015: Release of [http://www.sonarsource.com/2015/05/19/sonarqube-java-3-3-released/ the SonarQube Java plugin version 3.3] adds 7 new rules, including 4 related to bug detection.

* 19 May 2015: Release of [http://www.sonarsource.com/2015/05/19/sonarqube-php-2-5-released/ the SonarQube PHP plugin version 2.5] adds 7 new rules, including 5 related to bug detection and error handling.

* 30 April 2015: Release of [http://www.sonarsource.com/2015/04/30/sonarqube-java-3-2-released/ the SonarQube Java plugin version 3.2] adds a rule to find unclosed resources, which can help prevent DoS attacks.

* 23 April 2015: Release of [http://www.sonarsource.com/2015/04/23/sonarqube-javascript-2-5-released/ the SonarQube JavaScript plugin version 2.5] adds 13 new rules, including seven related to bug or pitfall detection, including
** [http://jira.sonarsource.com/browse/RSPEC-1854 RSPEC 1854] Dead stores should be removed
** [http://jira.sonarsource.com/browse/RSPEC-888 RSPEC-888] Equality operators should not be used in "for" loop termination conditions

* 3 April 2015: Release of [http://www.sonarsource.com/2015/04/03/sonarqube-java-3-1-released/ the SonarQube Java plugin version 3.1] adds seven new rules related to bug detection, including a powerful new rule able to detect null pointer dereferences.

* 2 April 2015: Release of [http://www.sonarsource.com/2015/04/02/sonarqube-javascript-2-4-released/ the SonarQube JavaScript plugin version 2.4] adds 15 new rules related to bug detection, including one which is also related to security:
** [http://jira.sonarsource.com/browse/RSPEC-2228 RSPEC-2228] Console logging should not be used

* 9 March 2015: With its latest release, version 3.0 on 4 March 2015, the SonarQube Java plugin now covers 50 different CWE items. [http://dist.sonarsource.com/reports/coverage/squid_cwe_coverage.html See the full list]

* 4 March 2015: Release of [http://www.sonarsource.com/2015/03/04/sonarqube-java-3-0-released/ SonarQube Java 3.0 plugin] containing [http://jira.sonarsource.com/secure/ReleaseNote.jspa?projectId=10973&version=11895 24 new rules], including 14 related to bug detection and 6 related to the detection of multi-threading issues.

* 5 February 2015: Release of [http://www.sonarsource.com/2015/02/05/sonarqube-java-2-9-1-released/ SonarQube Java 2.9.1 plugin] containing [http://jira.sonarsource.com/secure/ReleaseNote.jspa?projectId=10973&version=11894 19 new rules] including 1 related to OWASP Top 10:
** [http://jira.sonarsource.com/browse/RSPEC-2257 RSPEC-2257] Only standard cryptographic algorithms should be used

* 5 January 2015: Release of [http://www.sonarsource.com/2015/01/09/sonarqube-java-2-8-released/ SonarQube Java 2.8 plugin] containing [http://jira.sonarsource.com/secure/ReleaseNote.jspa?projectId=10973&version=11893 25 new rules] including several related to OWASP Top 10:
** [http://jira.sonarsource.com/browse/RSPEC-2277 RSPEC-2277] Cryptographic RSA algorithms should always incorporate OAEP (Optimal Asymmetric Encryption Padding)
** [http://jira.sonarsource.com/browse/RSPEC-2078 RSPEC-2078] Values passed to LDAP queries should be sanitized
** [http://jira.sonarsource.com/browse/RSPEC-2076 RSPEC-2076] Values passed to OS commands should be sanitized
** [http://jira.sonarsource.com/browse/RSPEC-2278 RSPEC-2278] DES (Data Encryption Standard) and DESede (3DES) should not be used

* 12 December 20014 : Release of [http://www.sonarsource.com/2014/12/11/sonarqube-java-2-7-released/ SonarQube Java 2.7 plugin] containing [http://jira.sonarsource.com/browse/SONARJAVA/fixforversion/11892 26 new rules] and 7 relating to OWASP TOP 10
** [http://jira.sonarsource.com/browse/RSPEC-2068 RSPEC-2068] Credentials should not be hard-coded
** [http://jira.sonarsource.com/browse/RSPEC-2245 RSPEC-2245] Pseudorandom number generators (PRNGs) should not be used in secure context
** [http://jira.sonarsource.com/browse/RSPEC-2255 RSPEC-2255] Cookies should not be used to store sensitive information
** [http://jira.sonarsource.com/browse/RSPEC-2089 RSPEC-2089] HTTP referers should not be relied on
** [http://jira.sonarsource.com/browse/RSPEC-2070 RSPEC-2070] SHA-1 and MD5 hash algorithms should not be used
** [http://jira.sonarsource.com/browse/RSPEC-2254 RSPEC-2254] "HttpServletRequest.getRequestedSessionId()" should not be used
** [http://jira.sonarsource.com/browse/RSPEC-2258 RSPEC-2258] "javax.crypto.NullCipher" should not be used for anything other than testing

* 10 December 2014 : 2 new rules specified
** [http://jira.sonarsource.com/browse/RSPEC-2278 RSPEC-2278] DES (Data Encryption Standard) and DESede (3DES) should not be used
** [http://jira.sonarsource.com/browse/RSPEC-2277 RSPEC-2277] Cryptographic RSA algorithms should always incorporate OAEP (Optimal Asymmetric Encryption Padding)

* 3 December 2014 : 4 new rules specified
** [http://jira.sonarsource.com/browse/RSPEC-2258 RSPEC-2258] "javax.crypto.NullCipher" should not be used for anything other than testing
** [http://jira.sonarsource.com/browse/RSPEC-2257 RSPEC-2257] Only standard cryptographic algorithms should be used
** [http://jira.sonarsource.com/browse/RSPEC-2255 RSPEC-2255] Cookies should not be used to store sensitive information
** [http://jira.sonarsource.com/browse/RSPEC-2254 RSPEC-2254] "HttpServletRequest.getRequestedSessionId()" should not be used

* 6 November 2014 : [http://fr.slideshare.net/Eagle42/analyser-la-scurit-de-son-code-source-avec-sonarsource Project presentation at Application Security Forum West Switzerland]

* 1 November 2014 : new "owasp-top10" tag in the "Rules" space to quickly search for OWASP Top 10 relating rules (mainly Findbugs rules)
** [http://jira.sonarsource.com/browse/RSPEC-2077 RSPEC-2077] Values passed to SQL commands should be sanitized

* 2 October 2014 : 2 new rules specified
** [http://jira.sonarsource.com/browse/RSPEC-2092 RSPEC-2092] Cookies should be "secure"
** [http://jira.sonarsource.com/browse/RSPEC-2091 RSPEC-2091] Values passed to XPath expressions should be sanitized
** [http://jira.sonarsource.com/browse/RSPEC-2089 RSPEC-2089] HTTP referers should not be relied on
** [http://jira.sonarsource.com/browse/RSPEC-2087 RSPEC-2087] Weak encryption should not be used
** [http://jira.sonarsource.com/browse/RSPEC-2086 RSPEC-2086] Values passed to XQuery commands should be sanitized
** [http://jira.sonarsource.com/browse/RSPEC-2085 RSPEC-2085] Values passed to HTTP redirects should be neutralized
** [http://jira.sonarsource.com/browse/RSPEC-2084 RSPEC-2084] Messages output from a servlet "catch" block should be invariable
** [http://jira.sonarsource.com/browse/RSPEC-2083 RSPEC-2083] Values used in path traversal should be neutralized

* 1 October 2014 : Matching most of the SonarQube rules to the MITRE CWE referential to ease the tagging of "owasp-top10" relating rules

* 11 September 2014 : Project as been presented at OWASP France Meeting. See [https://air.mozilla.org/owasp-france-meeting-mozilla-paris-2/ Air Mozilla recording ]

=FAQs=

; How to help ?
: Give us your expertise on some langage, or ability to test on some real project our rules, or more...

; Will you plan other langage ?
: Yes, contact us if you want to know more. And perhaps give us some feedback one some real projects....

= Acknowledgements =

== Sponsors : ==

[http://coach.appsec.fr AppSec Blog] ; AppSecFR Coach - Sébastien Gioria Consulting

[http://www.sonarsource.com SonarSource] ; Founder and maintainer of SonarQube

=Project About=
{{:Projects/OWASP_SonarQube_Page}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]