This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP SonarQube Project"

From OWASP
Jump to: navigation, search
(Email List)
m (Main)
 
(66 intermediate revisions by 7 users not shown)
Line 4: Line 4:
  
 
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |
+
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |
 +
The OWASP SonarQube project aims to provide open source SAST using the existing open source solutions. SonarQube is one of the world’s most popular continuous code quality tools and it's actively used by many developers and companies.
  
==OWASP SonarQube Project==
+
This project aims to enable more security functionalities to SonarQube and use it as an SAST. This project will use open source sonar plugins, rules, as well as other open source plugins especially FindSecBugs and its security rules. FindSecBugs enables the taint analysis.
  
OWASP Sonarqube Project is intended to track the implementation in SonarQube langauge plugins of security rules, like those in the OWASP Top10, ASVS, PCI-DSS, ISO 27034ASC, &etc.
+
'''Docker:''' https://hub.docker.com/r/owasp/sonarqube/
  
==Introduction to SonarQube==
+
'''GitHub:''' https://github.com/OWASP/sonarqube
 
 
SonarQube is an open platform for managing code quality. As such, it covers the 7 axes of code quality:
 
 
 
http://www.sonarqube.org/wp-content/themes/sonar/images/7axes.png
 
 
 
More than 20 programming languages are covered through plugins, including: Java, C#, C/C++, PL/SQL, Cobol, ABAP, …
 
 
 
==Goal==
 
Deliver a set of rules marked with relevant tags (E.G. owasp-top10, cwe, sans-top25) to make adoption of security rules as painless as possible.
 
  
 
==Licensing==
 
==Licensing==
OWASP SonarQube Project is free to use. It is licensed under the [ttp://www.apache.org/licenses/LICENSE-2.0 Apache 2.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.
+
OWASP SonarQube Project is free to use. It is licensed under the [http://www.gnu.org/licenses/lgpl-3.0.txt LGPL v3]
 
 
 
 
| valign="top"  style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |
 
 
 
== News and Events ==
 
 
 
=== November 2014 ===
 
We've added an "owasp-top10" tag to existing rules, mainly in the FindBugs plugins.
 
 
 
=== October 2014 ===
 
We've mapped the existing [http://jira.sonarsource.com/browse/RSPEC-2260?jql=project%20%3D%20RSPEC%20AND%20resolution%20%3D%20Unresolved%20AND%20type%20%3D%20Specification SonarQube rule specifications] to CWE.
 
 
 
  
| valign="top" style="padding-left:25px;width:200px;" |  
+
| valign="top" style="padding-left:25px;width:200px;" |
  
 
== Project Leader ==
 
== Project Leader ==
  
[mailto:sebastien.gioria@owasp.org Sebastien Gioria]
+
[mailto:vinod@owasp.org Vinod Anandan]
  
[mailto:[email protected] Freddy Mallet]
+
== Email List ==
  
[mailto:ann.campbell@sonarsource.com G. Ann Campbell]
+
[https://lists.owasp.org/mailman/listinfo/owasp_sonarqube Sign Up!]
  
 +
[http://lists.owasp.org/pipermail/owasp_sonarqube/ Archives]
  
== Open HUB ==
 
[https://www.openhub.net/p/sonar SonarQube rating on Open HUB]
 
  
 +
== Repository ==
 +
Here are the repositories for the open source plugins related to this project.
 +
* [https://github.com/SonarSource/sonarqube SonarQube]
 +
* [https://github.com/find-sec-bugs/find-sec-bugs FindSecBugs]
 +
* [https://github.com/spotbugs/sonar-findbugs SonarFindBugs]
 +
* [https://github.com/VinodAnandan/sonar-pitest SonarPitest]
 +
* [https://github.com/SonarSource/sonar-java SonarJava]
 +
* [https://github.com/SonarCommunity/sonar-javascript SonarJavaScript]
 +
* [https://github.com/SonarCommunity/sonar-php SonarPHP]
  
== Email List ==
 
  
[https://lists.owasp.org/mailman/listinfo/owasp_sonarqube Sign Up!]
 
[http://lists.owasp.org/pipermail/owasp_sonarqube/ Archives]
 
  
 
==Classifications==
 
==Classifications==
Line 60: Line 45:
 
   {| width="200" cellpadding="2"
 
   {| width="200" cellpadding="2"
 
   |-
 
   |-
   | align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
+
   | rowspan="2" align="center" valign="top" width="50%" | [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
   | align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]   
+
   | align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=]]   
 
   |-
 
   |-
   | align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
+
   | align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=]]
 
   |-
 
   |-
   | colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
+
   | colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
 
   |-
 
   |-
   | colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
+
   | colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
 
   |}
 
   |}
  
 
|}
 
|}
 
= News =
 
 
* 1 December 2014 : +20 rules relating to OWASP Top 10 and targeting Java already specified in the [http://jira.sonarsource.com/browse/RSPEC-1877?jql=labels%20%3D%20owasp-top10 SonarSource Rules Repository]
 
 
* 6 November 2014 : [http://fr.slideshare.net/Eagle42/analyser-la-scurit-de-son-code-source-avec-sonarsource Project presentation at Application Security Forum West Switzerland] 
 
 
* 1 November 2014 : new "owasp-top10" tag in the "Rules" space to quickly search for OWASP Top 10 relating rules (mainly Findbugs rules)
 
 
* 1 October 2014 : Matching most of the SonarQube rules to the MITRE CWE referential to ease the tagging of "owasp-top10" relating rules
 
 
* 11 September 2014 : Project as been presented at OWASP France Meeting. See [https://air.mozilla.org/owasp-france-meeting-mozilla-paris-2/ Air Mozilla recording ] 
 
 
  
 
=FAQs=
 
=FAQs=
 
; How do I use the owasp-top10 tag?
 
: Perform a rule search for tag=owasp-top10. If you have the proper permissions, you can use the bulk change options to activate the results in your profiles.
 
 
  
 
; How to help ?  
 
; How to help ?  
: Give us  your expertise on some langage, or ability to test on some real project our rules, or more...
 
  
; Will you plan other langage ?
 
: Yes, contact us if you want to know more. And perhaps give us some feedback one some real projects....
 
  
 
= Acknowledgements =
 
= Acknowledgements =
Line 101: Line 66:
 
== Sponsors : ==
 
== Sponsors : ==
  
[http://www.advens.fr Advens ] ; French Experts on application security
 
  
[http://www.sonarsource.com SonarSource] ; Founder and maintainer of SonarQube
 
  
==Volunteers==
+
=Project About=
SonarQube is developed by a worldwide team of volunteers. The primary contributors to date have been:
 
  
= Road Map and Getting Involved =
+
{{:Projects/OWASP_SonarQube_Page}} 
As of June 2014, the priorities are:
 
 
 
First deliver on Java langage :
 
 
 
*Deliver tags mapping Cert Secure Coding and ISO 27034 ASC for the end of 2014
 
 
 
*Deliver for 2015 rule tags mapping PCI-DSS requirements with the standard rules of SonarQube.
 
  
*Deliver for 2015 rule tags mapping OWASP ASVS level (1,2,3,4).
+
= Roadmap =
  
Involvement in the development and promotion of SonarQube is actively encouraged!
+
== 2019 Roadmap ==
You do not have to be a security expert in order to contribute.
+
* Documentation
  
=Project About=
 
{{:Projects/OWASP_SonarQube_Page}} 
 
  
 
__NOTOC__ <headertabs />  
 
__NOTOC__ <headertabs />  
  
[[Category:OWASP Project]]  [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]]  [[Category:OWASP_Document]]
+
[[Category:OWASP Project]]   
 +
[[Category:OWASP_Builders]]  
 +
[[Category:OWASP_Defenders]]   
 +
[[Category:OWASP_Document]]

Latest revision as of 23:20, 29 October 2018

OWASP Project Header.jpg

The OWASP SonarQube project aims to provide open source SAST using the existing open source solutions. SonarQube is one of the world’s most popular continuous code quality tools and it's actively used by many developers and companies.

This project aims to enable more security functionalities to SonarQube and use it as an SAST. This project will use open source sonar plugins, rules, as well as other open source plugins especially FindSecBugs and its security rules. FindSecBugs enables the taint analysis.

Docker: https://hub.docker.com/r/owasp/sonarqube/

GitHub: https://github.com/OWASP/sonarqube

Licensing

OWASP SonarQube Project is free to use. It is licensed under the LGPL v3

Project Leader

Vinod Anandan

Email List

Sign Up!

Archives


Repository

Here are the repositories for the open source plugins related to this project.


Classifications

New projects.png Owasp-builders-small.png
Owasp-defenders-small.png
Cc-button-y-sa-small.png
Project Type Files CODE.jpg
How to help ?


Sponsors :

PROJECT INFO
What does this OWASP project offer you?
RELEASE(S) INFO
What releases are available for this project?
what is this project?
Name: OWASP SonarQube Project
Purpose: The OWASP SonarQube project aims to provide open source SAST using the existing open source solutions. SonarQube is one of the world’s most popular continuous code quality tools and it's actively used by many developers and companies.

This project aims to enable more security functionalities to SonarQube and use it as an SAST. This project will use open source sonar plugins, rules, as well as other open source plugins especially FindSecBugs and its security rules. FindSecBugs enables the taint analysis.

License: LGPL v3
who is working on this project?
Project Leader(s):
  • Vinod Anandan @
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: [[email protected] Mailing List Archives]
Project Roadmap: Not Yet Created
Key Contacts
  • Contact Vinod Anandan @ to contribute to this project
  • Contact Vinod Anandan @ to review or sponsor this project
current release
Not Yet Published
last reviewed release
Not Yet Reviewed


other releases

2019 Roadmap

  • Documentation