Monday, November 19, 2012

Sonar OWASP Plug-in

I have done several demos to clients on Sonar. Last week, I did a Brown Bag @ Cigital on Sonar. As I was preparing the Virtual Machine which I created for Sonar, I noticed the OWASP Plug-in. I downloaded the trial version and ran analysis on a few projects.

As I was doing the demo, several of our Consultants @ Cigital had tons of questions about how this plug-in worked. Remember, Cigital helps companies improve the security of our clients most reliable applications. :)

I promised to look in detail within this plug-in to see what engine was running behind the scenes, how they mapped the OWASP Top 10 vulnerabilities and so on.

Over the last 5 years, I have used several tools for running scans on various languages. I have used tools like Coverity, IBM's AppScan Source Edition, and HP's Fortify. I was of the impression that this Plug-in was built with a powerful engine which compared to the tools I mentioned. I was really disappointed to see that it doesn't have any engine to find security vulnerabilities. The plug-in just maps rules from FindBugs, PMD and CheckStyle to the OWASP Top 10 rules.It has an XML file and you can map the rules within this file.

It gives you a false sense of security when you see the OWASP Factor Risk. The sample project I scanned using this plug-in has all the OWASP Top 10 vulnerabilities like Cross-Site Scripting, SQL Injection, Command Injection and many more. And this plug-in wasn't able to find any of these vulnerabilities. It is just a mapping of a few rules mapped to FindBugs, PMD and CheckStyle.














The idea behind this Plug-in is really great. However, if the engine can be improved behind the scenes, or if the plug-in can parse results from one of the SCR tools like Coverity, IBM's AppScan Source Edition, and HP's Fortify than there is real value to the plug-in.

You can find more details about Sonar and the OWASP Plug-in at the links provided below:

17 comments:

  1. Actually, there is a Fortify plugin for Sonar that parses .fpr Fortify reports to integrate the results in your Sonar Dashboard : http://docs.codehaus.org/display/SONAR/Fortify+Plugin

    ReplyDelete
    Replies
    1. How do you know the plugin parses the .fpr Fortify reports. the .fpr report are generating from Fortify SCA. but i think the sonar-fortify-plugin is working with Fortify SSC

      Delete
    2. The Sonar plug-in doesn't parse the FPR. It talks to the SSC server, and updates the Sonar dashboard.

      Delete
    3. Uses the web services API.I have to check the source.

      Delete
  2. I thought to make an analyze for WebGoat in order to find out whether it really finds any kind of mapped vulnerability. It gave 5.7 OWASP Risk factor (which is Negligible) to WebGoat :)

    ReplyDelete
  3. Not worth using this plug-in in my opinion.

    ReplyDelete
  4. Among SAST (static application security testing) tools, what is the tool that you recommend to analyze JEE web applications in the free and commercial tools,

    ReplyDelete
  5. Hi Meera. You said that you have used the Fortify plugin. Did you used the plugin with Fortify SSC or Fortify SCA.
    Is there any reuseReport mode in this plugin

    ReplyDelete
    Replies
    1. With Sonar it is the SSC plug-in. With Jenkins and Hudson, it is the SCA plug-in. And yes, I have used both.

      Delete
  6. Hi Meera,
    I need to choose an SCA tool to my new java project on vertx platform. I have these two options available, Sonar (free one) and coverity (we have some licences). As you have experience with both tools, which one do you suggest?
    -Hari

    ReplyDelete
  7. Hari,
    Most of Sonar plug-ins are good for quality. It doesn't have any for Security. So, I would suggest using coverity.

    Hope this helps.

    ReplyDelete
  8. I'm working on project which already using Sonar. My current task is to configure Sonar for SQL Injection scans. Do you know where I should start? I'm not able to find any helpful documentation.

    Thanks!

    ReplyDelete
    Replies
    1. Not many open source plug-ins can do this. You can try FindBugs, it does find SQL Injection problems.

      Delete
  9. Hi Meera,

    Have you seen any sonar plugin that consumes Appscan findings?
    Thanks in advance!

    ReplyDelete
    Replies
    1. You will have to write a plug-in for SonarQube for AppScan.

      Delete