This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP SonarQube Project"

From OWASP
Jump to: navigation, search
(minor wiki update to fix a bug)
(News)
Line 73: Line 73:
  
 
= News =
 
= News =
 +
* 6 Feb 2016: Release of the [https://jira.sonarsource.com/jira/secure/ReleaseNote.jspa?projectId=10973&version=12876 SonarQube Java plugin version 3.10] adds seven new bug and security-related rules:
 +
** [https://nemo.sonarqube.org/coding_rules#rule_key=squid%3AS2142 S2142] "InterruptedException" should not be ignored
 +
** [https://nemo.sonarqube.org/coding_rules#rule_key=squid%3AS3438 S3438] "SingleConnectionFactory" instances should be set to "reconnectOnException"
 +
** [https://nemo.sonarqube.org/coding_rules#rule_key=squid%3AS3281 S3281] Default EJB interceptors should be declared in "ejb-jar.xml"
 +
** [https://nemo.sonarqube.org/coding_rules#rule_key=squid%3AS2639 S2639] Inappropriate regular expressions should not be used
 +
** [https://nemo.sonarqube.org/coding_rules#rule_key=squid%3AS3369 S3369] Security constraints should be defired
 +
** [https://nemo.sonarqube.org/coding_rules#rule_key=squid%3AS3374 S3374] Struts validation forms should have unique names
 +
** [https://nemo.sonarqube.org/coding_rules#rule_key=squid%3AS3355 S3355] Web applications should use validation filters
 +
 +
 
* 13 Jan 2016: Release of the [https://jira.sonarsource.com/jira/secure/ReleaseNote.jspa?projectId=10933&version=12847 SonarQube JavaScript plugin version 2.10] adds four new bug detection rules:
 
* 13 Jan 2016: Release of the [https://jira.sonarsource.com/jira/secure/ReleaseNote.jspa?projectId=10933&version=12847 SonarQube JavaScript plugin version 2.10] adds four new bug detection rules:
 
** [https://jira.sonarsource.com/browse/RSPEC-2234 RSPEC-2234] Parameters should be passed in the correct order]
 
** [https://jira.sonarsource.com/browse/RSPEC-2234 RSPEC-2234] Parameters should be passed in the correct order]

Revision as of 19:40, 8 February 2016

OWASP Project Header.jpg

The first goal of the OWASP SonarQube Project is to a create a referential of check specifications targetting OWASP vulnerabilities and that can be detected by SAST tools (Static Application Security Testing). From there, the second goal is to provide a reference implementations of most of those checks in the Open Source SonarQube language analysers (Java, JavaScript, PHP and C#).

Any contributor is highly welcome to participate to this community effort and participating is pretty easy :

  • Each idea of a new potential valuable check should be sent to this project mailing list.
  • Then some discussions might start to challenge the idea
  • At the end of discussions, a specification of the check is created in the following JIRA project by one of the leader of this project : http://jira.sonarsource.com/browse/RSPEC.
  • To suggest a rule, send as much as possible from the following list:
    • description - What should be done/not done, and why
    • noncompliant code example in the language of your choice
    • remediation action - This can be as simple as "Don't do X."


The "News" is updated as soon as :

  • A check specification is created
  • A SonarQube analysers containing some stuff relating to this OWASP SonarQube project is released.

About SonarQube

SonarQube is an Open Source platform for managing code quality. This platform can be extended with Open Source or commercial plugins, see for instance the Java, JavaScript, PHP and C# plugins.

Licensing

OWASP SonarQube Project is free to use. It is licensed under the Apache 2.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.


Project Leader

Sebastien Gioria

Freddy Mallet

G. Ann Campbell

Email List

Sign Up!

Archives


Repository

Here are the repositories for the open source plugins related to this project. Most of them provide security-related rules:


Classifications

New projects.png Owasp-builders-small.png
Owasp-defenders-small.png
Cc-button-y-sa-small.png
Project Type Files CODE.jpg
  • 6 Feb 2016: Release of the SonarQube Java plugin version 3.10 adds seven new bug and security-related rules:
    • S2142 "InterruptedException" should not be ignored
    • S3438 "SingleConnectionFactory" instances should be set to "reconnectOnException"
    • S3281 Default EJB interceptors should be declared in "ejb-jar.xml"
    • S2639 Inappropriate regular expressions should not be used
    • S3369 Security constraints should be defired
    • S3374 Struts validation forms should have unique names
    • S3355 Web applications should use validation filters


  • 1 July 2015: Release of the SonarQube JavaScript plugin version 2.7 adds 6 new rules, including 2 bug-related rules, 1 CWE-related rule, and 2 rules directly related to security
    • RSPEC-930 The number of arguments passed to a function shall match the number of parameters
    • RSPEC-2819 Cross-document messaging domains should be carefully restricted
    • RSPEC-2817 Web SQL databases shoudl not be used
  • 9 March 2015: With its latest release, version 3.0 on 4 March 2015, the SonarQube Java plugin now covers 50 different CWE items. See the full list
  • 5 January 2015: Release of SonarQube Java 2.8 plugin containing 25 new rules including several related to OWASP Top 10:
    • RSPEC-2277 Cryptographic RSA algorithms should always incorporate OAEP (Optimal Asymmetric Encryption Padding)
    • RSPEC-2078 Values passed to LDAP queries should be sanitized
    • RSPEC-2076 Values passed to OS commands should be sanitized
    • RSPEC-2278 DES (Data Encryption Standard) and DESede (3DES) should not be used
  • 12 December 20014 : Release of SonarQube Java 2.7 plugin containing 26 new rules and 7 relating to OWASP TOP 10
    • RSPEC-2068 Credentials should not be hard-coded
    • RSPEC-2245 Pseudorandom number generators (PRNGs) should not be used in secure context
    • RSPEC-2255 Cookies should not be used to store sensitive information
    • RSPEC-2089 HTTP referers should not be relied on
    • RSPEC-2070 SHA-1 and MD5 hash algorithms should not be used
    • RSPEC-2254 "HttpServletRequest.getRequestedSessionId()" should not be used
    • RSPEC-2258 "javax.crypto.NullCipher" should not be used for anything other than testing
  • 10 December 2014 : 2 new rules specified
    • RSPEC-2278 DES (Data Encryption Standard) and DESede (3DES) should not be used
    • RSPEC-2277 Cryptographic RSA algorithms should always incorporate OAEP (Optimal Asymmetric Encryption Padding)
  • 3 December 2014 : 4 new rules specified
    • RSPEC-2258 "javax.crypto.NullCipher" should not be used for anything other than testing
    • RSPEC-2257 Only standard cryptographic algorithms should be used
    • RSPEC-2255 Cookies should not be used to store sensitive information
    • RSPEC-2254 "HttpServletRequest.getRequestedSessionId()" should not be used
  • 1 November 2014 : new "owasp-top10" tag in the "Rules" space to quickly search for OWASP Top 10 relating rules (mainly Findbugs rules)
    • RSPEC-2077 Values passed to SQL commands should be sanitized
  • 2 October 2014 : 2 new rules specified
    • RSPEC-2092 Cookies should be "secure"
    • RSPEC-2091 Values passed to XPath expressions should be sanitized
    • RSPEC-2089 HTTP referers should not be relied on
    • RSPEC-2087 Weak encryption should not be used
    • RSPEC-2086 Values passed to XQuery commands should be sanitized
    • RSPEC-2085 Values passed to HTTP redirects should be neutralized
    • RSPEC-2084 Messages output from a servlet "catch" block should be invariable
    • RSPEC-2083 Values used in path traversal should be neutralized
  • 1 October 2014 : Matching most of the SonarQube rules to the MITRE CWE referential to ease the tagging of "owasp-top10" relating rules
How do I use the owasp-top10 tag?
Perform a rule search for tag=owasp-top10. If you have the proper permissions, you can use the bulk change options to activate the results in your profiles.


How to help ?
Give us your expertise on some langage, or ability to test on some real project our rules, or more...
Will you plan other langage ?
Yes, contact us if you want to know more. And perhaps give us some feedback one some real projects....

Sponsors :

Advens  ; French Experts on application security

SonarSource ; Founder and maintainer of SonarQube

PROJECT INFO
What does this OWASP project offer you?
RELEASE(S) INFO
What releases are available for this project?
what is this project?
Name: OWASP SonarQube Project
Purpose: The OWASP SonarQube project aims to provide open source SAST using the existing open source solutions. SonarQube is one of the world’s most popular continuous code quality tools and it's actively used by many developers and companies.

This project aims to enable more security functionalities to SonarQube and use it as an SAST. This project will use open source sonar plugins, rules, as well as other open source plugins especially FindSecBugs and its security rules. FindSecBugs enables the taint analysis.

License: LGPL v3
who is working on this project?
Project Leader(s):
  • Vinod Anandan @
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: [[email protected] Mailing List Archives]
Project Roadmap: Not Yet Created
Key Contacts
  • Contact Vinod Anandan @ to contribute to this project
  • Contact Vinod Anandan @ to review or sponsor this project
current release
Not Yet Published
last reviewed release
Not Yet Reviewed


other releases