|
|
(45 intermediate revisions by 7 users not shown) |
Line 4: |
Line 4: |
| | | |
| {| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |- | | {| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |- |
− | | valign="top" style="border-right: 1px dotted gray;padding-right:25px;" | | + | | valign="top" style="border-right: 1px dotted gray;padding-right:25px;" | |
| + | The OWASP SonarQube project aims to provide open source SAST using the existing open source solutions. SonarQube is one of the world’s most popular continuous code quality tools and it's actively used by many developers and companies. |
| | | |
− | The first goal of the OWASP SonarQube Project is to a create a referential of check specifications targetting OWASP vulnerabilities and that can be detected by SAST tools (Static Application Security Testing). From there, the second goal is to provide a reference implementations of most of those checks in the Open Source SonarQube language analysers (Java, JavaScript, PHP and C#).
| + | This project aims to enable more security functionalities to SonarQube and use it as an SAST. This project will use open source sonar plugins, rules, as well as other open source plugins especially FindSecBugs and its security rules. FindSecBugs enables the taint analysis. |
| | | |
− | Any contributor is highly welcome to participate to this community effort and participating is pretty easy :
| + | '''Docker:''' https://hub.docker.com/r/owasp/sonarqube/ |
− | * Each idea of a new potential valuable check should be sent to this [https://lists.owasp.org/mailman/listinfo/owasp_sonarqube project mailing list].
| |
− | * Then some discussions might start to challenge the idea
| |
− | * At the end of discussions, a specification of the check is created in the following JIRA project by one of the leader of this project : [http://jira.sonarsource.com/issues/?jql=project%20%3D%20RSPEC%20AND%20issuetype%20%3D%20Specification%20AND%20labels%20%3D%20owasp-top10 http://jira.sonarsource.com/browse/RSPEC].
| |
− | * To suggest a rule, send as much as possible from the following list:
| |
− | ** description - What should be done/not done, and why
| |
− | ** noncompliant code example in the language of your choice
| |
− | ** remediation action - This can be as simple as "Don't do X."
| |
| | | |
− | | + | '''GitHub:''' https://github.com/OWASP/sonarqube |
− | The "News" is updated as soon as :
| |
− | * A check specification is created
| |
− | * A SonarQube analysers containing some stuff relating to this OWASP SonarQube project is released.
| |
− | | |
− | ==About SonarQube==
| |
− | | |
− | [http://www.sonarqube.org SonarQube] is an Open Source platform for managing code quality. This platform can be extended with Open Source or commercial plugins, see for instance the [http://docs.codehaus.org/display/SONAR/Java+Plugin Java], [http://docs.sonarqube.org/display/SONAR/JavaScript+Plugin JavaScript], [http://docs.sonarqube.org/display/SONAR/PHP+Plugin PHP] and [http://docs.sonarqube.org/display/SONAR/C%23+Plugin C#] plugins.
| |
| | | |
| ==Licensing== | | ==Licensing== |
− | OWASP SonarQube Project is free to use. It is licensed under the [ttp://www.apache.org/licenses/LICENSE-2.0 Apache 2.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one. | + | OWASP SonarQube Project is free to use. It is licensed under the [http://www.gnu.org/licenses/lgpl-3.0.txt LGPL v3] |
| | | |
− | | + | | valign="top" style="padding-left:25px;width:200px;" | |
− | | valign="top" style="padding-left:25px;width:200px;" | | |
| | | |
| == Project Leader == | | == Project Leader == |
| | | |
− | [mailto:sebastien.gioria@owasp.org Sebastien Gioria] | + | [mailto:vinod@owasp.org Vinod Anandan] |
| | | |
− | | + | == Email List == |
| | | |
− | [mailto:ann.campbell@sonarsource.com G. Ann Campbell] | + | [https://lists.owasp.org/mailman/listinfo/owasp_sonarqube Sign Up!] |
| + | |
| + | [http://lists.owasp.org/pipermail/owasp_sonarqube/ Archives] |
| | | |
| | | |
− | == Email List == | + | == Repository == |
| + | Here are the repositories for the open source plugins related to this project. |
| + | * [https://github.com/SonarSource/sonarqube SonarQube] |
| + | * [https://github.com/find-sec-bugs/find-sec-bugs FindSecBugs] |
| + | * [https://github.com/spotbugs/sonar-findbugs SonarFindBugs] |
| + | * [https://github.com/VinodAnandan/sonar-pitest SonarPitest] |
| + | * [https://github.com/SonarSource/sonar-java SonarJava] |
| + | * [https://github.com/SonarCommunity/sonar-javascript SonarJavaScript] |
| + | * [https://github.com/SonarCommunity/sonar-php SonarPHP] |
| | | |
− | [https://lists.owasp.org/mailman/listinfo/owasp_sonarqube Sign Up!]
| |
| | | |
− | [http://lists.owasp.org/pipermail/owasp_sonarqube/ Archives]
| |
| | | |
| ==Classifications== | | ==Classifications== |
Line 51: |
Line 45: |
| {| width="200" cellpadding="2" | | {| width="200" cellpadding="2" |
| |- | | |- |
− | | align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]] | + | | rowspan="2" align="center" valign="top" width="50%" | [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]] |
− | | align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] | + | | align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=]] |
| |- | | |- |
− | | align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]] | + | | align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=]] |
| |- | | |- |
− | | colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] | + | | colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] |
| |- | | |- |
− | | colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]] | + | | colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]] |
| |} | | |} |
| | | |
| |} | | |} |
− |
| |
− | = News =
| |
− | * 23 April 2015: Release of [http://www.sonarsource.com/2015/04/23/sonarqube-javascript-2-5-released/ the SonarQube JavaScript plugin version 2.5] adds 13 new rules, including seven related to bug or pitfall detection, including
| |
− | ** [http://jira.sonarsource.com/browse/RSPEC-1854 RSPEC 1854] Dead stores should be removed
| |
− | ** [http://jira.sonarsource.com/browse/RSPEC-888 RSPEC-888] Equality operators should not be used in "for" loop termination conditions
| |
− |
| |
− | * 6 April 2015: Release of [http://www.sonarsource.com/2015/04/06/sonarqube-c-c-objective-c-3-5-released/ the SonarQube C/C++ and Objective-C plugins version 3.5] adds 31 new rules for Objective-C, including four related to bug detection and two security-related rules:
| |
− | ** [http://jira.sonarsource.com/browse/RSPEC-874 RSPEC-874] Bitwise operators should not be applied to signed operands
| |
− | ** [http://jira.sonarsource.com/browse/RSPEC-930 RSPEC-930] The number of arguments passed to a function shall match the number of parameters
| |
− |
| |
− | * 3 April 2015: Release of [http://www.sonarsource.com/2015/04/03/sonarqube-java-3-1-released/ the SonarQube Java plugin version 3.1] adds seven new rules related to bug detection, including a powerful new rule able to detect null pointer dereferences.
| |
− |
| |
− | * 2 April 2015: Release of [http://www.sonarsource.com/2015/04/02/sonarqube-javascript-2-4-released/ the SonarQube JavaScript plugin version 2.4] adds 15 new rules related to bug detection, including one which is also related to security:
| |
− | ** [http://jira.sonarsource.com/browse/RSPEC-2228 RSPEC-2228] Console logging should not be used
| |
− |
| |
− | * 17 March 2015: The SonarQube COBOL plugin [http://dist.sonarsource.com/reports/coverage/cobol_cwe_coverage.html covers 4 CWE items]. The latest version is [http://www.sonarsource.com/2015/03/16/sonarqube-cobol-2-5-released/ 2.5]
| |
− |
| |
− | * 11 March 2015: The SonarQube PL/SQL plugin [http://dist.sonarsource.com/reports/coverage/plsql_cwe_coverage.html covers 5 CWE items]. The latest version is [http://www.sonarsource.com/2015/03/11/sonarqube-plsql-2-7-released/ 2.7]
| |
− |
| |
− | * 11 March 2015: The SonarQube ABAP plugin covers 3 CWE items. The latest version is [http://www.sonarsource.com/2015/03/11/sonarqube-abap-3-2-released/ 3.2]
| |
− |
| |
− | * 9 March 2015: With its latest release, version 3.0 on 4 March 2015, the SonarQube Java plugin now covers 50 different CWE items. [http://dist.sonarsource.com/reports/coverage/squid_cwe_coverage.html See the full list]
| |
− |
| |
− | * 4 March 2015: Release of [http://www.sonarsource.com/2015/03/04/sonarqube-java-3-0-released/ SonarQube Java 3.0 plugin] containing [http://jira.codehaus.org/secure/ReleaseNote.jspa?projectId=12830&version=20957 24 new rules], including 14 related to bug detection and 6 related to the detection of multi-threading issues.
| |
− |
| |
− | * 5 February 2015: Release of [http://www.sonarsource.com/2015/02/05/sonarqube-java-2-9-1-released/ SonarQube Java 2.9.1 plugin] containing [http://jira.codehaus.org/secure/ReleaseNote.jspa?projectId=12830&version=20964 19 new rules] including 1 related to OWASP Top 10:
| |
− | ** [http://jira.sonarsource.com/browse/RSPEC-2257 RSPEC-2257] Only standard cryptographic algorithms should be used
| |
− |
| |
− | * 5 January 2015: Release of [http://www.sonarsource.com/2015/01/09/sonarqube-java-2-8-released/ SonarQube Java 2.8 plugin] containing [http://jira.codehaus.org/secure/ReleaseNote.jspa?projectId=12830&version=20794 25 new rules] including several related to OWASP Top 10:
| |
− | ** [http://jira.sonarsource.com/browse/RSPEC-2277 RSPEC-2277] Cryptographic RSA algorithms should always incorporate OAEP (Optimal Asymmetric Encryption Padding)
| |
− | ** [http://jira.sonarsource.com/browse/RSPEC-2078 RSPEC-2078] Values passed to LDAP queries should be sanitized
| |
− | ** [http://jira.sonarsource.com/browse/RSPEC-2076 RSPEC-2076] Values passed to OS commands should be sanitized
| |
− | ** [http://jira.sonarsource.com/browse/RSPEC-2278 RSPEC-2278] DES (Data Encryption Standard) and DESede (3DES) should not be used
| |
− |
| |
− | * 12 December 20014 : Release of [http://www.sonarsource.com/2014/12/11/sonarqube-java-2-7-released/ SonarQube Java 2.7 plugin] containing [http://jira.codehaus.org/secure/ReleaseNote.jspa?projectId=12830&version=20752 26 new rules] and 7 relating to OWASP TOP 10
| |
− | ** [http://jira.sonarsource.com/browse/RSPEC-2068 RSPEC-2068] Credentials should not be hard-coded
| |
− | ** [http://jira.sonarsource.com/browse/RSPEC-2245 RSPEC-2245] Pseudorandom number generators (PRNGs) should not be used in secure context
| |
− | ** [http://jira.sonarsource.com/browse/RSPEC-2255 RSPEC-2255] Cookies should not be used to store sensitive information
| |
− | ** [http://jira.sonarsource.com/browse/RSPEC-2089 RSPEC-2089] HTTP referers should not be relied on
| |
− | ** [http://jira.sonarsource.com/browse/RSPEC-2070 RSPEC-2070] SHA-1 and MD5 hash algorithms should not be used
| |
− | ** [http://jira.sonarsource.com/browse/RSPEC-2254 RSPEC-2254] "HttpServletRequest.getRequestedSessionId()" should not be used
| |
− | ** [http://jira.sonarsource.com/browse/RSPEC-2258 RSPEC-2258] "javax.crypto.NullCipher" should not be used for anything other than testing
| |
− |
| |
− | * 10 December 2014 : 2 new rules specified
| |
− | ** [http://jira.sonarsource.com/browse/RSPEC-2278 RSPEC-2278] DES (Data Encryption Standard) and DESede (3DES) should not be used
| |
− | ** [http://jira.sonarsource.com/browse/RSPEC-2277 RSPEC-2277] Cryptographic RSA algorithms should always incorporate OAEP (Optimal Asymmetric Encryption Padding)
| |
− |
| |
− | * 3 December 2014 : 4 new rules specified
| |
− | ** [http://jira.sonarsource.com/browse/RSPEC-2258 RSPEC-2258] "javax.crypto.NullCipher" should not be used for anything other than testing
| |
− | ** [http://jira.sonarsource.com/browse/RSPEC-2257 RSPEC-2257] Only standard cryptographic algorithms should be used
| |
− | ** [http://jira.sonarsource.com/browse/RSPEC-2255 RSPEC-2255] Cookies should not be used to store sensitive information
| |
− | ** [http://jira.sonarsource.com/browse/RSPEC-2254 RSPEC-2254] "HttpServletRequest.getRequestedSessionId()" should not be used
| |
− |
| |
− | * 6 November 2014 : [http://fr.slideshare.net/Eagle42/analyser-la-scurit-de-son-code-source-avec-sonarsource Project presentation at Application Security Forum West Switzerland]
| |
− |
| |
− | * 1 November 2014 : new "owasp-top10" tag in the "Rules" space to quickly search for OWASP Top 10 relating rules (mainly Findbugs rules)
| |
− | ** [http://jira.sonarsource.com/browse/RSPEC-2077 RSPEC-2077] Values passed to SQL commands should be sanitized
| |
− |
| |
− | * 2 October 2014 : 2 new rules specified
| |
− | ** [http://jira.sonarsource.com/browse/RSPEC-2092 RSPEC-2092] Cookies should be "secure"
| |
− | ** [http://jira.sonarsource.com/browse/RSPEC-2091 RSPEC-2091] Values passed to XPath expressions should be sanitized
| |
− | ** [http://jira.sonarsource.com/browse/RSPEC-2089 RSPEC-2089] HTTP referers should not be relied on
| |
− | ** [http://jira.sonarsource.com/browse/RSPEC-2087 RSPEC-2087] Weak encryption should not be used
| |
− | ** [http://jira.sonarsource.com/browse/RSPEC-2086 RSPEC-2086] Values passed to XQuery commands should be sanitized
| |
− | ** [http://jira.sonarsource.com/browse/RSPEC-2085 RSPEC-2085] Values passed to HTTP redirects should be neutralized
| |
− | ** [http://jira.sonarsource.com/browse/RSPEC-2084 RSPEC-2084] Messages output from a servlet "catch" block should be invariable
| |
− | ** [http://jira.sonarsource.com/browse/RSPEC-2083 RSPEC-2083] Values used in path traversal should be neutralized
| |
− |
| |
− | * 1 October 2014 : Matching most of the SonarQube rules to the MITRE CWE referential to ease the tagging of "owasp-top10" relating rules
| |
− |
| |
− | * 11 September 2014 : Project as been presented at OWASP France Meeting. See [https://air.mozilla.org/owasp-france-meeting-mozilla-paris-2/ Air Mozilla recording ]
| |
| | | |
| =FAQs= | | =FAQs= |
− |
| |
− | ; How do I use the owasp-top10 tag?
| |
− | : Perform a rule search for tag=owasp-top10. If you have the proper permissions, you can use the bulk change options to activate the results in your profiles.
| |
− |
| |
| | | |
| ; How to help ? | | ; How to help ? |
− | : Give us your expertise on some langage, or ability to test on some real project our rules, or more...
| |
| | | |
− | ; Will you plan other langage ?
| |
− | : Yes, contact us if you want to know more. And perhaps give us some feedback one some real projects....
| |
| | | |
| = Acknowledgements = | | = Acknowledgements = |
Line 150: |
Line 66: |
| == Sponsors : == | | == Sponsors : == |
| | | |
− | [http://www.advens.fr Advens ] ; French Experts on application security
| |
| | | |
− | [http://www.sonarsource.com SonarSource] ; Founder and maintainer of SonarQube
| |
| | | |
| =Project About= | | =Project About= |
| + | |
| {{:Projects/OWASP_SonarQube_Page}} | | {{:Projects/OWASP_SonarQube_Page}} |
| + | |
| + | = Roadmap = |
| + | |
| + | == 2019 Roadmap == |
| + | * Documentation |
| + | |
| | | |
| __NOTOC__ <headertabs /> | | __NOTOC__ <headertabs /> |
| | | |
− | [[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] | + | [[Category:OWASP Project]] |
| + | [[Category:OWASP_Builders]] |
| + | [[Category:OWASP_Defenders]] |
| + | [[Category:OWASP_Document]] |