I have done several demos to clients on Sonar. Last week, I did a Brown Bag @ Cigital on Sonar. As I was preparing the Virtual Machine which I created for Sonar, I noticed the OWASP Plug-in. I downloaded the trial version and ran analysis on a few projects.
As I was doing the demo, several of our Consultants @ Cigital had tons of questions about how this plug-in worked. Remember, Cigital helps companies improve the security of our clients most reliable applications. :)
I promised to look in detail within this plug-in to see what engine was running behind the scenes, how they mapped the OWASP Top 10 vulnerabilities and so on.
Over the last 5 years, I have used several tools for running scans on various languages. I have used tools like Coverity, IBM's AppScan Source Edition, and HP's Fortify. I was of the impression that this Plug-in was built with a powerful engine which compared to the tools I mentioned. I was really disappointed to see that it doesn't have any engine to find security vulnerabilities. The plug-in just maps rules from FindBugs, PMD and CheckStyle to the OWASP Top 10 rules.It has an XML file and you can map the rules within this file.
It gives you a false sense of security when you see the OWASP Factor Risk. The sample project I scanned using this plug-in has all the OWASP Top 10 vulnerabilities like Cross-Site Scripting, SQL Injection, Command Injection and many more. And this plug-in wasn't able to find any of these vulnerabilities. It is just a mapping of a few rules mapped to FindBugs, PMD and CheckStyle.
The idea behind this Plug-in is really great. However, if the engine can be improved behind the scenes, or if the plug-in can parse results from one of the SCR tools like Coverity, IBM's AppScan Source Edition, and HP's Fortify than there is real value to the plug-in.
You can find more details about Sonar and the OWASP Plug-in at the links provided below: