This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP SonarQube Project"
From OWASP
(→Acknowledgements) |
|||
| Line 59: | Line 59: | ||
= News = | = News = | ||
| + | * 12 December 20014 : Release of [http://www.sonarsource.com/2014/12/11/sonarqube-java-2-7-released/ SonarQube Java 2.7 plugin] containing [http://jira.codehaus.org/secure/ReleaseNote.jspa?projectId=12830&version=20752 26 new rules] and 7 relating to OWASP TOP 10 | ||
| + | ** RSPEC-2068 Credentials should not be hard-coded | ||
| + | ** RSPEC-2245 Pseudorandom number generators (PRNGs) should not be used in secure context | ||
| + | ** RSPEC-2092 Cookies should be "secure" | ||
| + | ** RSPEC-2089 HTTP referers should not be relied on | ||
| + | ** RSPEC-2070 SHA-1 and MD5 hash algorithms should not be used | ||
| + | ** RSPEC-2254 "HttpServletRequest.getRequestedSessionId()" should not be used | ||
| + | ** RSPEC-2258 "javax.crypto.NullCipher" should not be used for anything other than testing | ||
| − | * | + | * 10 December 2014 : 2 new rules specified |
| + | ** RSPEC-2278 DES (Data Encryption Standard) and DESede (3DES) should not be used | ||
| + | ** RSPEC-2277 Cryptographic RSA algorithms should always incorporate OAEP (Optimal Asymmetric Encryption Padding) | ||
| + | |||
| + | * 3 December 2014 : 4 new rules specified | ||
| + | ** RSPEC-2258 "javax.crypto.NullCipher" should not be used for anything other than testing | ||
| + | ** RSPEC-2257 Only standard cryptographic algorithms should be used | ||
| + | ** RSPEC-2255 Cookies should not be used to store sensitive information | ||
| + | ** RSPEC-2254 "HttpServletRequest.getRequestedSessionId()" should not be used | ||
* 6 November 2014 : [http://fr.slideshare.net/Eagle42/analyser-la-scurit-de-son-code-source-avec-sonarsource Project presentation at Application Security Forum West Switzerland] | * 6 November 2014 : [http://fr.slideshare.net/Eagle42/analyser-la-scurit-de-son-code-source-avec-sonarsource Project presentation at Application Security Forum West Switzerland] | ||
* 1 November 2014 : new "owasp-top10" tag in the "Rules" space to quickly search for OWASP Top 10 relating rules (mainly Findbugs rules) | * 1 November 2014 : new "owasp-top10" tag in the "Rules" space to quickly search for OWASP Top 10 relating rules (mainly Findbugs rules) | ||
| + | |||
| + | * 2 October 201 : 2 new rules specified | ||
| + | ** RSPEC-2092 Cookies should be "secure" | ||
| + | ** RSPEC-2091 Values passed to XPath expressions should be sanitized | ||
| + | ** RSPEC-2089 HTTP referers should not be relied on | ||
| + | ** RSPEC-2087 Weak encryption should not be used | ||
| + | ** RSPEC-2086 Values passed to XQuery commands should be sanitized | ||
| + | ** RSPEC-2085 Values passed to HTTP redirects should be neutralized | ||
| + | ** RSPEC-2084 Messages output from a servlet "catch" block should be invariable | ||
| + | ** RSPEC-2083 Values used in path traversal should be neutralized | ||
* 1 October 2014 : Matching most of the SonarQube rules to the MITRE CWE referential to ease the tagging of "owasp-top10" relating rules | * 1 October 2014 : Matching most of the SonarQube rules to the MITRE CWE referential to ease the tagging of "owasp-top10" relating rules | ||
| Line 70: | Line 96: | ||
* 11 September 2014 : Project as been presented at OWASP France Meeting. See [https://air.mozilla.org/owasp-france-meeting-mozilla-paris-2/ Air Mozilla recording ] | * 11 September 2014 : Project as been presented at OWASP France Meeting. See [https://air.mozilla.org/owasp-france-meeting-mozilla-paris-2/ Air Mozilla recording ] | ||
| + | = Road Map and Getting Involved = | ||
| + | As of June 2014, the priorities are: | ||
| + | |||
| + | First deliver on Java langage : | ||
| + | |||
| + | *Deliver tags mapping Cert Secure Coding and ISO 27034 ASC for the end of 2014 | ||
| + | |||
| + | *Deliver for 2015 rule tags mapping PCI-DSS requirements with the standard rules of SonarQube. | ||
| + | |||
| + | *Deliver for 2015 rule tags mapping OWASP ASVS level (1,2,3,4). | ||
| + | |||
| + | Involvement in the development and promotion of SonarQube is actively encouraged! | ||
| + | You do not have to be a security expert in order to contribute. | ||
=FAQs= | =FAQs= | ||
| Line 90: | Line 129: | ||
[http://www.sonarsource.com SonarSource] ; Founder and maintainer of SonarQube | [http://www.sonarsource.com SonarSource] ; Founder and maintainer of SonarQube | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
=Project About= | =Project About= | ||
Revision as of 15:07, 12 December 2014
|
The first goal of the OWASP SonarQube Project is to a create a referential of check specifications targetting OWASP vulnerabilities and that can be detected by SAST tools (Static Application Security Testing). From there, the second goal is to provide a reference implementations of most of those checks in the Open Source SonarQube language analysers (Java, JavaScript, PHP and C#). Any contributor is highly welcome to participate to this community effort and participating is pretty easy :
The news section is updated as soon as :
About SonarQubeSonarQube is an Open Source platform for managing code quality. This platform can be extended with Open Source or commercial plugins, see for instance the Java, JavaScript, PHP and C# plugins. LicensingOWASP SonarQube Project is free to use. It is licensed under the [ttp://www.apache.org/licenses/LICENSE-2.0 Apache 2.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.
|
Project Leader
Email ListClassifications
| |||||||
- 12 December 20014 : Release of SonarQube Java 2.7 plugin containing 26 new rules and 7 relating to OWASP TOP 10
- RSPEC-2068 Credentials should not be hard-coded
- RSPEC-2245 Pseudorandom number generators (PRNGs) should not be used in secure context
- RSPEC-2092 Cookies should be "secure"
- RSPEC-2089 HTTP referers should not be relied on
- RSPEC-2070 SHA-1 and MD5 hash algorithms should not be used
- RSPEC-2254 "HttpServletRequest.getRequestedSessionId()" should not be used
- RSPEC-2258 "javax.crypto.NullCipher" should not be used for anything other than testing
- 10 December 2014 : 2 new rules specified
- RSPEC-2278 DES (Data Encryption Standard) and DESede (3DES) should not be used
- RSPEC-2277 Cryptographic RSA algorithms should always incorporate OAEP (Optimal Asymmetric Encryption Padding)
- 3 December 2014 : 4 new rules specified
- RSPEC-2258 "javax.crypto.NullCipher" should not be used for anything other than testing
- RSPEC-2257 Only standard cryptographic algorithms should be used
- RSPEC-2255 Cookies should not be used to store sensitive information
- RSPEC-2254 "HttpServletRequest.getRequestedSessionId()" should not be used
- 6 November 2014 : Project presentation at Application Security Forum West Switzerland
- 1 November 2014 : new "owasp-top10" tag in the "Rules" space to quickly search for OWASP Top 10 relating rules (mainly Findbugs rules)
- 2 October 201 : 2 new rules specified
- RSPEC-2092 Cookies should be "secure"
- RSPEC-2091 Values passed to XPath expressions should be sanitized
- RSPEC-2089 HTTP referers should not be relied on
- RSPEC-2087 Weak encryption should not be used
- RSPEC-2086 Values passed to XQuery commands should be sanitized
- RSPEC-2085 Values passed to HTTP redirects should be neutralized
- RSPEC-2084 Messages output from a servlet "catch" block should be invariable
- RSPEC-2083 Values used in path traversal should be neutralized
- 1 October 2014 : Matching most of the SonarQube rules to the MITRE CWE referential to ease the tagging of "owasp-top10" relating rules
- 11 September 2014 : Project as been presented at OWASP France Meeting. See Air Mozilla recording
As of June 2014, the priorities are:
First deliver on Java langage :
- Deliver tags mapping Cert Secure Coding and ISO 27034 ASC for the end of 2014
- Deliver for 2015 rule tags mapping PCI-DSS requirements with the standard rules of SonarQube.
- Deliver for 2015 rule tags mapping OWASP ASVS level (1,2,3,4).
Involvement in the development and promotion of SonarQube is actively encouraged! You do not have to be a security expert in order to contribute.
- How do I use the owasp-top10 tag?
- Perform a rule search for tag=owasp-top10. If you have the proper permissions, you can use the bulk change options to activate the results in your profiles.
- How to help ?
- Give us your expertise on some langage, or ability to test on some real project our rules, or more...
- Will you plan other langage ?
- Yes, contact us if you want to know more. And perhaps give us some feedback one some real projects....
Sponsors :
Advens ; French Experts on application security
SonarSource ; Founder and maintainer of SonarQube
| PROJECT INFO What does this OWASP project offer you? |
RELEASE(S) INFO What releases are available for this project? | |||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
| |||||||||||||||||||||||||||||||||||
