This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP SonarQube Project"

From OWASP
Jump to: navigation, search
m (Main)
 
(9 intermediate revisions by the same user not shown)
Line 4: Line 4:
  
 
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |
+
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |
 +
The OWASP SonarQube project aims to provide open source SAST using the existing open source solutions. SonarQube is one of the world’s most popular continuous code quality tools and it's actively used by many developers and companies.
  
'''NOTE:''' If you are interested in contributing to open source static vulnerability analysis for Java, OWASP recommends you contribute to the [http://find-sec-bugs.github.io/ Find Security Bugs Project] run by Philippe Arteau. FindSecBugs is a FindBugs plugin. Philippe also runs the [https://github.com/SonarQubeCommunity/sonar-findbugs SonarQube FindBugs Plugin Project], which bundles both FindBugs and FindSecBugs into a plugin that can be used with SonarQube and in fact comes bundled with SonarQube by default. So, by contributing to the Find Security Bugs project, you are helping both the Find Bugs and SonarQube user communities at the same time.
+
This project aims to enable more security functionalities to SonarQube and use it as an SAST. This project will use open source sonar plugins, rules, as well as other open source plugins especially FindSecBugs and its security rules. FindSecBugs enables the taint analysis.
  
 +
'''Docker:''' https://hub.docker.com/r/owasp/sonarqube/
  
----
+
'''GitHub:''' https://github.com/OWASP/sonarqube
 
 
Historical Info:
 
 
 
....
 
 
 
Any contributor is highly welcome to participate to this community effort and participating is pretty easy:
 
* Each idea of a new potential valuable check should be sent to this [https://groups.google.com/forum/#!forum/sonarqube project mailing list].
 
* Then some discussions might start to challenge the idea
 
* At the end of discussions, a specification of the check is created in the following JIRA project by one of the leader of this project : [http://jira.sonarsource.com/issues/?jql=project%20%3D%20RSPEC%20AND%20issuetype%20%3D%20Specification%20AND%20labels%20%3D%20owasp-top10 http://jira.sonarsource.com/browse/RSPEC].
 
* To suggest a rule, send as much as possible from the following list:
 
** description - What should be done/not done, and why
 
** noncompliant code example in the language of your choice
 
** remediation action - This can be as simple as "Don't do X."
 
 
 
 
 
The "News" is updated as soon as :
 
* A check specification is created
 
* A SonarQube analysers containing some stuff relating to this OWASP SonarQube project is released.
 
 
 
==About SonarQube==
 
 
 
[http://www.sonarqube.org SonarQube] is an Open Source platform for managing code quality. This platform can be extended with Open Source or commercial plugins, see for instance the [http://redirect.sonarsource.com/plugins/java.html Java], [http://redirect.sonarsource.com/plugins/javascript.html JavaScript], [http://redirect.sonarsource.com/plugins/php.html PHP] and [http://redirect.sonarsource.com/plugins/csharp.html C#] plugins.
 
  
 
==Licensing==
 
==Licensing==
OWASP SonarQube Project is free to use. It is licensed under the [http://www.apache.org/licenses/LICENSE-2.0 Apache 2.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.
+
OWASP SonarQube Project is free to use. It is licensed under the [http://www.gnu.org/licenses/lgpl-3.0.txt LGPL v3]
  
 
+
| valign="top" style="padding-left:25px;width:200px;" |
| valign="top" style="padding-left:25px;width:200px;" |
 
  
 
== Project Leader ==
 
== Project Leader ==
Line 51: Line 30:
  
 
== Repository ==  
 
== Repository ==  
Here are the repositories for the open source plugins related to this project. Most of them provide security-related rules:
+
Here are the repositories for the open source plugins related to this project.
* [https://github.com/SonarSource/sonar-java Java]  
+
* [https://github.com/SonarSource/sonarqube SonarQube]
* [https://github.com/SonarCommunity/sonar-javascript JavaScript]  
+
* [https://github.com/find-sec-bugs/find-sec-bugs FindSecBugs]  
* [https://github.com/SonarCommunity/sonar-php PHP]
+
* [https://github.com/spotbugs/sonar-findbugs SonarFindBugs]  
* [https://github.com/SonarSource/sonar-dotnet-codeanalysis C#]
+
* [https://github.com/VinodAnandan/sonar-pitest SonarPitest]  
* [https://github.com/SonarCommunity/sonar-widget-lab Widget Lab] provides security-related SonarQube dashboard widgets
+
* [https://github.com/SonarSource/sonar-java SonarJava]
 +
* [https://github.com/SonarCommunity/sonar-javascript SonarJavaScript]  
 +
* [https://github.com/SonarCommunity/sonar-php SonarPHP]
 +
 
  
  
Line 63: Line 45:
 
   {| width="200" cellpadding="2"
 
   {| width="200" cellpadding="2"
 
   |-
 
   |-
   | align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
+
   | rowspan="2" align="center" valign="top" width="50%" | [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
   | align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]   
+
   | align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=]]   
 
   |-
 
   |-
   | align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
+
   | align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=]]
 
   |-
 
   |-
   | colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
+
   | colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
 
   |-
 
   |-
   | colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
+
   | colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
 
   |}
 
   |}
  
Line 87: Line 69:
  
 
=Project About=
 
=Project About=
 +
 
{{:Projects/OWASP_SonarQube_Page}}   
 
{{:Projects/OWASP_SonarQube_Page}}   
 +
 +
= Roadmap =
 +
 +
== 2019 Roadmap ==
 +
* Documentation
 +
  
 
__NOTOC__ <headertabs />  
 
__NOTOC__ <headertabs />  
  
[[Category:OWASP Project]]  [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]]  [[Category:OWASP_Document]]
+
[[Category:OWASP Project]]   
 +
[[Category:OWASP_Builders]]  
 +
[[Category:OWASP_Defenders]]   
 +
[[Category:OWASP_Document]]

Latest revision as of 23:20, 29 October 2018

OWASP Project Header.jpg

The OWASP SonarQube project aims to provide open source SAST using the existing open source solutions. SonarQube is one of the world’s most popular continuous code quality tools and it's actively used by many developers and companies.

This project aims to enable more security functionalities to SonarQube and use it as an SAST. This project will use open source sonar plugins, rules, as well as other open source plugins especially FindSecBugs and its security rules. FindSecBugs enables the taint analysis.

Docker: https://hub.docker.com/r/owasp/sonarqube/

GitHub: https://github.com/OWASP/sonarqube

Licensing

OWASP SonarQube Project is free to use. It is licensed under the LGPL v3

Project Leader

Vinod Anandan

Email List

Sign Up!

Archives


Repository

Here are the repositories for the open source plugins related to this project.


Classifications

New projects.png Owasp-builders-small.png
Owasp-defenders-small.png
Cc-button-y-sa-small.png
Project Type Files CODE.jpg
How to help ?


Sponsors :

PROJECT INFO
What does this OWASP project offer you? 		RELEASE(S) INFO
What releases are available for this project?
what is this project?
Name: OWASP SonarQube Project
Purpose: The OWASP SonarQube project aims to provide open source SAST using the existing open source solutions. SonarQube is one of the world’s most popular continuous code quality tools and it's actively used by many developers and companies.

This project aims to enable more security functionalities to SonarQube and use it as an SAST. This project will use open source sonar plugins, rules, as well as other open source plugins especially FindSecBugs and its security rules. FindSecBugs enables the taint analysis.

License: LGPL v3
who is working on this project?
Project Leader(s):
  • Vinod Anandan @
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: [[email protected] Mailing List Archives]
Project Roadmap: Not Yet Created
Key Contacts
  • Contact Vinod Anandan @ to contribute to this project
  • Contact Vinod Anandan @ to review or sponsor this project
current release
Not Yet Published
last reviewed release
Not Yet Reviewed


other releases

2019 Roadmap

  • Documentation


Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_SonarQube_Project&oldid=244714"