Page tree
Skip to end of metadata
Go to start of metadata

You can find out more about our SonarQube plugin in our blog post.

Features

The RIPS SonarQube PHP plugin lets you run scans from SonarQube and imports issues from the corresponding RIPS scans to SonarQube.

Note that the RIPS SonarQube PHP plugin currently requires SonarQube's default PHP plugin SonarPHP to be installed.

Difference to SonarPHP

SonarPHP does not perform real security analysis but only reports signature matches when suspicious PHP features such as "eval()" are used in your code (see SonarPHP Rules). It does not analyze the data flow of user input into this eval() statement and thus cannot decide if this is an exploitable vulnerability for an attacker that can modify the PHP code that is evaluated, or if it is simply a bad coding practice with static PHP code being evaluated. Hence, SonarPHP cannot report real security issues such as Cross-Site Scripting, SQL injection or any other OWASP Top 10 issues.

You can find more information on how this pattern matching approach compares to our static code analysis approach in our blog post.

SonarQube Setup

  1. Download and install Java 8 JRE (https://www.java.com/).
  2. Download and install SonarQube (https://www.sonarqube.org/downloads/). The plugin was developed for SonarQube version 6.7.1 (LTS) and should work on newer versions. Older versions are currently not supported, although you are free to try them.
  3. Install the SonarPHP plugin (https://docs.sonarqube.org/display/SONAR/Installing+a+Plugin).

Please refer to the SonarQube documentation for more details concerning SonarQube itself: https://docs.sonarqube.org/.

To control access to scanning and amongst others this plugin within SonarQube, please refer to the corresponding pages in the SonarQube documentation: https://docs.sonarqube.org/display/SONAR/Security.

RIPS Plugin Setup

The RIPS plugin for SonarQube is currently not in the SonarQube plugin repository. Hence, at the time being, you will need to install it manually:

  1. Obtain the RIPS plugin file from https://files.ripstech.com/sonarqube/RIPSQube-1.7.4.jar.
  2. Move the plugin file to <your SonarQube install directory>/extensions/plugins/.
  3. Restart SonarQube.
  4. You may have to activate the RIPSQube quality profile for projects to start using the plugin. See the image below for details: simply click on the marked interface elements in the order specified:


Note that you can also associate the quality profile with projects by selecting the quality profile in the project directly. Please refer to the SonarQube documentation for details if you prefer to do it this way. Also see section 'Scan Configuration'.

Alternatively you can also select the RIPS profile as default or add RIPS rules to another PHP profile of your choice.

Plugin Configuration

You can change the general plugin settings by going to Administration and selecting RIPS on the left side of the screen when you are in the Configuration tab.

Configuration Parameters

  • APIv2 Base URL: define the API's base URL of the RIPS instance you are going to use.

Scan Configuration

In order to scan a project with RIPS you will need to add some configuration parameters to your sonar.properties file. Following parameters are available:

  • ripsqube.username (required): Your RIPS API user name.
  • ripsqube.password (required): Your RIPS API password.
  • ripsqube.baseUrl (optional): Use this field to overwrite the default API URL for this project only.
  • ripsqube.applicationId (required): The RIPS application ID with which to associate this SonarQube project.
  • ripsqube.local (required): Should be set to false.
  • ripsqube.storeCode (optional): Set to true if you wish to store the code in the RIPS instance, false otherwise.
  • ripsqube.removeUpload (required if ripsqube.local=false): Set to false if you wish to keep uploads made to a cloud RIPS instance, true otherwise.
  • ripsqube.remoteApplicationName (obsolete): Should not be used anymore.
  • ripsqube.blocker (optional): Custom threshold for blocker vulnerabilities.
  • ripsqube.critical (optional): Custom threshold for critical vulnerabilities.
  • ripsqube.major (optional): Custom threshold for major vulnerabilities.
  • ripsqube.analysisDepth (optional): Overwrite default analysis depth (5).
  • ripsqube.custom (optional): Overwrite default analysis profile.
  • ripsqube.scanTimeout (optional): Overwrite default scan timeout (5) in hours.

Viewing Scan Results

The scan results can be viewed together with all other project issues in the SonarQube web interface. All issues created by RIPS are vulnerabilities and tagged with the rips tag.

Not sure how to start a scan? The SonarQube documentation also provides helpful information on this topic: https://docs.sonarqube.org/display/SONAR/Analyzing+Source+Code.

Related

Also see our blog post about the RIPS SonarQube PHP plugin: https://blog.ripstech.com/2017/security-analysis-with-sonarqube-plugin/.

  • No labels