Monday, November 19, 2012

Sonar OWASP Plug-in

I have done several demos to clients on Sonar. Last week, I did a Brown Bag @ Cigital on Sonar. As I was preparing the Virtual Machine which I created for Sonar, I noticed the OWASP Plug-in. I downloaded the trial version and ran analysis on a few projects.

As I was doing the demo, several of our Consultants @ Cigital had tons of questions about how this plug-in worked. Remember, Cigital helps companies improve the security of our clients most reliable applications. :)

I promised to look in detail within this plug-in to see what engine was running behind the scenes, how they mapped the OWASP Top 10 vulnerabilities and so on.

Over the last 5 years, I have used several tools for running scans on various languages. I have used tools like Coverity, IBM's AppScan Source Edition, and HP's Fortify. I was of the impression that this Plug-in was built with a powerful engine which compared to the tools I mentioned. I was really disappointed to see that it doesn't have any engine to find security vulnerabilities. The plug-in just maps rules from FindBugs, PMD and CheckStyle to the OWASP Top 10 rules.It has an XML file and you can map the rules within this file.

It gives you a false sense of security when you see the OWASP Factor Risk. The sample project I scanned using this plug-in has all the OWASP Top 10 vulnerabilities like Cross-Site Scripting, SQL Injection, Command Injection and many more. And this plug-in wasn't able to find any of these vulnerabilities. It is just a mapping of a few rules mapped to FindBugs, PMD and CheckStyle.














The idea behind this Plug-in is really great. However, if the engine can be improved behind the scenes, or if the plug-in can parse results from one of the SCR tools like Coverity, IBM's AppScan Source Edition, and HP's Fortify than there is real value to the plug-in.

You can find more details about Sonar and the OWASP Plug-in at the links provided below:

24 comments:

  1. Actually, there is a Fortify plugin for Sonar that parses .fpr Fortify reports to integrate the results in your Sonar Dashboard : http://docs.codehaus.org/display/SONAR/Fortify+Plugin

    ReplyDelete
    Replies
    1. How do you know the plugin parses the .fpr Fortify reports. the .fpr report are generating from Fortify SCA. but i think the sonar-fortify-plugin is working with Fortify SSC

      Delete
    2. The Sonar plug-in doesn't parse the FPR. It talks to the SSC server, and updates the Sonar dashboard.

      Delete
    3. Uses the web services API.I have to check the source.

      Delete
  2. I thought to make an analyze for WebGoat in order to find out whether it really finds any kind of mapped vulnerability. It gave 5.7 OWASP Risk factor (which is Negligible) to WebGoat :)

    ReplyDelete
  3. Not worth using this plug-in in my opinion.

    ReplyDelete
  4. Among SAST (static application security testing) tools, what is the tool that you recommend to analyze JEE web applications in the free and commercial tools,

    ReplyDelete
  5. Hi Meera. You said that you have used the Fortify plugin. Did you used the plugin with Fortify SSC or Fortify SCA.
    Is there any reuseReport mode in this plugin

    ReplyDelete
    Replies
    1. With Sonar it is the SSC plug-in. With Jenkins and Hudson, it is the SCA plug-in. And yes, I have used both.

      Delete
  6. Hi Meera,
    I need to choose an SCA tool to my new java project on vertx platform. I have these two options available, Sonar (free one) and coverity (we have some licences). As you have experience with both tools, which one do you suggest?
    -Hari

    ReplyDelete
  7. Hari,
    Most of Sonar plug-ins are good for quality. It doesn't have any for Security. So, I would suggest using coverity.

    Hope this helps.

    ReplyDelete
  8. I'm working on project which already using Sonar. My current task is to configure Sonar for SQL Injection scans. Do you know where I should start? I'm not able to find any helpful documentation.

    Thanks!

    ReplyDelete
    Replies
    1. Not many open source plug-ins can do this. You can try FindBugs, it does find SQL Injection problems.

      Delete
  9. Hi Meera,

    Have you seen any sonar plugin that consumes Appscan findings?
    Thanks in advance!

    ReplyDelete
    Replies
    1. You will have to write a plug-in for SonarQube for AppScan.

      Delete
  10. Hello is SonarQube's Security Rules plugin currently capable to inspect java web aplication for OWASP risks like Find Security Bugs does? Is there any other free SonarQube's plugin intended for that?

    Thank you very much for your answer in advance.

    ReplyDelete
    Replies
    1. None of those plugins are really good for security.

      Delete
  11. Thank you for your advice. Which tools would you recomend for security testing i java programing language?

    Greetings from Slovenia. :)

    ReplyDelete
  12. Hi Meera, We have coverity installed in server and it is scanning and giving some coverity reports. I want to display those reports on in my sonar dashboard. we have installed coverity plugin and when we are running sonar-runner we are seeing that it is connecting to coverity url and scaning (but we are getting file not found errors in logs) and not getting results on sonar. Can you please suggest how to configure it?

    ReplyDelete
  13. The details of static analysis tools are quite helpful and all details are on one place,good one.

    ReplyDelete
  14. Hi , in our project sonar is not showing some security issues which are shown by Vera code earlier

    ReplyDelete
  15. Hi , what are the best plugins to scan security issues in project when we use SonarQube

    ReplyDelete