Monday, November 19, 2012

Sonar OWASP Plug-in

I have done several demos to clients on Sonar. Last week, I did a Brown Bag @ Cigital on Sonar. As I was preparing the Virtual Machine which I created for Sonar, I noticed the OWASP Plug-in. I downloaded the trial version and ran analysis on a few projects.

As I was doing the demo, several of our Consultants @ Cigital had tons of questions about how this plug-in worked. Remember, Cigital helps companies improve the security of our clients most reliable applications. :)

I promised to look in detail within this plug-in to see what engine was running behind the scenes, how they mapped the OWASP Top 10 vulnerabilities and so on.

Over the last 5 years, I have used several tools for running scans on various languages. I have used tools like Coverity, IBM's AppScan Source Edition, and HP's Fortify. I was of the impression that this Plug-in was built with a powerful engine which compared to the tools I mentioned. I was really disappointed to see that it doesn't have any engine to find security vulnerabilities. The plug-in just maps rules from FindBugs, PMD and CheckStyle to the OWASP Top 10 rules.It has an XML file and you can map the rules within this file.

It gives you a false sense of security when you see the OWASP Factor Risk. The sample project I scanned using this plug-in has all the OWASP Top 10 vulnerabilities like Cross-Site Scripting, SQL Injection, Command Injection and many more. And this plug-in wasn't able to find any of these vulnerabilities. It is just a mapping of a few rules mapped to FindBugs, PMD and CheckStyle.

The idea behind this Plug-in is really great. However, if the engine can be improved behind the scenes, or if the plug-in can parse results from one of the SCR tools like Coverity, IBM's AppScan Source Edition, and HP's Fortify than there is real value to the plug-in.

You can find more details about Sonar and the OWASP Plug-in at the links provided below:

Sunday, November 18, 2012

Deleting a project from Sonar

I have been using Sonar for several years now. However, I never deleted any project. So, when one of my colleagues asked me how to delete a project from Sonar, I had to spend a few minutes looking for the same.

It is quite easy to delete a project from Sonar.Listed below are the steps to delete a project.

1. Login into Sonar as an Administrator.

2. Next, click on the project you want to delete.

3. Click on the "Project Deletion" link on the left hand side. Highlighted in red in the above image.

4. Click on the "Delete Project" button. The operation cannot be undone.