This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

OWASP SonarQube Project

From OWASP
Revision as of 20:33, 14 June 2014 by SebastienGioria (talk | contribs) (Introduction)

Jump to: navigation, search
OWASP Project Header.jpg

OWASP SonarQube Project

OWASP Sonarqube Project consist to deliver a set of "standard" profile for security, like OWASP Top10 profile, ASVS profiles, PCI-DSS profile,ISO 27034ASC profile, ....who can be used by team with the support of OWASP Community.

Introduction

SonarQube is an open platform to manage code quality. As such, it covers the 7 axes of code quality:

7axes.png

More than 20 programming languages are covered through plugins including Java, C#, C/C++, PL/SQL, Cobol, ABAP…

Description

Project will be like the OWASP modsecurity CRS project. Deliver a set of profile who can be recognize by the community as a need for securing their application.

Sponsors :

Advens (Experts on application security) ; allowing time to work on the project

SonarSource (Founder and maintener of SonarQube) ; giving time and expertise to the core of SonarQube


Licensing

OWASP SonarQube Project is free to use. It is licensed under the [ttp://www.apache.org/licenses/LICENSE-2.0 Apache 2.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.


What is SonarQube?

OWASP SonarQube provides:

  • A set of quality profile (as SonarQube), mapped to security standards.
  • Some new plugins/rules for SonarQube.


Presentation

Project Leader

Sebastien Gioria

Freddy Mallet

Related Projects

Ohloh

Quick Download

Email List

Sign Up!

News and Events

In Print

Classifications

New projects.png Owasp-builders-small.png
Owasp-defenders-small.png
Cc-button-y-sa-small.png
Project Type Files CODE.jpg
Q1
A1
Q2
A2

Volunteers

SonarQube is developed by a worldwide team of volunteers. The primary contributors to date have been:

  • xxx
  • xxx

Others

  • xxx
  • xxx

As of June 2014, the priorities are:

We will first deliver on Java langage :

  • Deliver for the beginning of Q4 (October) 2014 a set of profile

directly mapping OWASP Top10 2013 with the standard rules of SonarQube.

  • Deliver for the end of the year 2014 a set of profile mapping

PCI-DSS requirements with the standard rules of SonarQube.

  • Deliver for 2015 profiles for mapping OWASP ASVS level (1,2,3,4).
  • Deliver profile based on Cert Secure Coding and ISO 27034 ASC for 2015

We plan but not having any roadmap to setup and deliver to OWASP project the capacity yo scan their project with the profiles and rules.

Involvement in the development and promotion of SonarQube is actively encouraged! You do not have to be a security expert in order to contribute. Some of the ways you can help:

  • xxx
  • xxx


PROJECT INFO
What does this OWASP project offer you?
RELEASE(S) INFO
What releases are available for this project?
what is this project?
Name: OWASP SonarQube Project
Purpose: The OWASP SonarQube project aims to provide open source SAST using the existing open source solutions. SonarQube is one of the world’s most popular continuous code quality tools and it's actively used by many developers and companies.

This project aims to enable more security functionalities to SonarQube and use it as an SAST. This project will use open source sonar plugins, rules, as well as other open source plugins especially FindSecBugs and its security rules. FindSecBugs enables the taint analysis.

License: LGPL v3
who is working on this project?
Project Leader(s):
  • Vinod Anandan @
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: [[email protected] Mailing List Archives]
Project Roadmap: Not Yet Created
Key Contacts
  • Contact Vinod Anandan @ to contribute to this project
  • Contact Vinod Anandan @ to review or sponsor this project
current release
Not Yet Published
last reviewed release
Not Yet Reviewed


other releases