OWASP SonarQube Project
Any contributor is highly welcome to participate to this community effort and participating is pretty easy :
OWASP SonarQube Project is free to use. It is licensed under the [ttp://www.apache.org/licenses/LICENSE-2.0 Apache 2.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.
Here are the repositories for the open source plugins related to this project. Most of them provide security-related rules:
- 19 May 2015: Release of the SonarQube Java plugin version 3.3 adds 7 new rules, including 4 related to bug detection.
- 19 May 2015: Release of the SonarQube PHP plugin version 2.5 adds 7 new rules, including 5 related to bug detection and error handling.
- 19 May 2015: Release of the SonarQube C/C++ and Objective-C plugins version 3.6 adds 17 new rules, including 6 rules related to bug detection, and makes 8 rules previously available for C also available for C++, including 3 related to bug detection.
- 12 May 2015: Release of the SonarQube RPG plugin version 1.4 adds eight new rules, including four related to bug detection.
- 30 April 2015: Release of the SonarQube Java plugin version 3.2 adds a rule to find unclosed resources, which can help prevent DoS attacks.
- 6 April 2015: Release of the SonarQube C/C++ and Objective-C plugins version 3.5 adds 31 new rules for Objective-C, including four related to bug detection and two security-related rules:
- 3 April 2015: Release of the SonarQube Java plugin version 3.1 adds seven new rules related to bug detection, including a powerful new rule able to detect null pointer dereferences.
- RSPEC-2228 Console logging should not be used
- 11 March 2015: The SonarQube ABAP plugin covers 3 CWE items. The latest version is 3.2
- 9 March 2015: With its latest release, version 3.0 on 4 March 2015, the SonarQube Java plugin now covers 50 different CWE items. See the full list
- 4 March 2015: Release of SonarQube Java 3.0 plugin containing 24 new rules, including 14 related to bug detection and 6 related to the detection of multi-threading issues.
- 5 February 2015: Release of SonarQube Java 2.9.1 plugin containing 19 new rules including 1 related to OWASP Top 10:
- RSPEC-2257 Only standard cryptographic algorithms should be used
- 5 January 2015: Release of SonarQube Java 2.8 plugin containing 25 new rules including several related to OWASP Top 10:
- RSPEC-2277 Cryptographic RSA algorithms should always incorporate OAEP (Optimal Asymmetric Encryption Padding)
- RSPEC-2078 Values passed to LDAP queries should be sanitized
- RSPEC-2076 Values passed to OS commands should be sanitized
- RSPEC-2278 DES (Data Encryption Standard) and DESede (3DES) should not be used
- 12 December 20014 : Release of SonarQube Java 2.7 plugin containing 26 new rules and 7 relating to OWASP TOP 10
- RSPEC-2068 Credentials should not be hard-coded
- RSPEC-2245 Pseudorandom number generators (PRNGs) should not be used in secure context
- RSPEC-2255 Cookies should not be used to store sensitive information
- RSPEC-2089 HTTP referers should not be relied on
- RSPEC-2070 SHA-1 and MD5 hash algorithms should not be used
- RSPEC-2254 "HttpServletRequest.getRequestedSessionId()" should not be used
- RSPEC-2258 "javax.crypto.NullCipher" should not be used for anything other than testing
- 10 December 2014 : 2 new rules specified
- 3 December 2014 : 4 new rules specified
- 6 November 2014 : Project presentation at Application Security Forum West Switzerland
- 1 November 2014 : new "owasp-top10" tag in the "Rules" space to quickly search for OWASP Top 10 relating rules (mainly Findbugs rules)
- RSPEC-2077 Values passed to SQL commands should be sanitized
- 2 October 2014 : 2 new rules specified
- RSPEC-2092 Cookies should be "secure"
- RSPEC-2091 Values passed to XPath expressions should be sanitized
- RSPEC-2089 HTTP referers should not be relied on
- RSPEC-2087 Weak encryption should not be used
- RSPEC-2086 Values passed to XQuery commands should be sanitized
- RSPEC-2085 Values passed to HTTP redirects should be neutralized
- RSPEC-2084 Messages output from a servlet "catch" block should be invariable
- RSPEC-2083 Values used in path traversal should be neutralized
- 1 October 2014 : Matching most of the SonarQube rules to the MITRE CWE referential to ease the tagging of "owasp-top10" relating rules
- 11 September 2014 : Project as been presented at OWASP France Meeting. See Air Mozilla recording
- How do I use the owasp-top10 tag?
- Perform a rule search for tag=owasp-top10. If you have the proper permissions, you can use the bulk change options to activate the results in your profiles.
- How to help ?
- Give us your expertise on some langage, or ability to test on some real project our rules, or more...
- Will you plan other langage ?
- Yes, contact us if you want to know more. And perhaps give us some feedback one some real projects....
| PROJECT INFO
What does this OWASP project offer you?
| RELEASE(S) INFO|
What releases are available for this project?