You can find out more about our SonarQube plugin in our blog post.
The RIPS SonarQube plugin lets you run scans from SonarQube and imports issues from the corresponding RIPS scans to SonarQube.
To use the RIPS SonarQube plugin within Java or PHP projects, you have to install the associated SonarQube default plugin for the language.
Difference to SonarPHP/Java
SonarPHP/Java does not perform real security analysis but only reports signature matches when suspicious PHP/Java features such as "eval()" are used in your code (see SonarPHP Rules/SonarJava Rules). It does not analyze the data flow of user input into this eval() statement and thus cannot decide if this is an exploitable vulnerability for an attacker that can modify the PHP/Java code that is evaluated, or if it is simply a bad coding practice with static PHP/Java code being evaluated. Hence, SonarPHP/Java cannot report real security issues such as Cross-Site Scripting, SQL injection or any other OWASP Top 10 issues.
You can find more information on how this pattern matching approach compares to our static code analysis approach in our blog post.
- Download and install Java 8 JRE (https://www.java.com/).
- Download and install SonarQube (https://www.sonarqube.org/downloads/). The plugin was developed for SonarQube version 6.7.1 (LTS) and should work on newer versions. Older versions are currently not supported, although you are free to try them.
- Install the SonarPHP/Java plugin (https://docs.sonarqube.org/display/SONAR/Installing+a+Plugin).
Please refer to the SonarQube documentation for more details concerning SonarQube itself: https://docs.sonarqube.org/.
To control access to scanning and amongst others this plugin within SonarQube, please refer to the corresponding pages in the SonarQube documentation: https://docs.sonarqube.org/display/SONAR/Security.
RIPS Plugin Setup
The RIPS plugin for SonarQube is currently not in the SonarQube plugin repository. Hence, at the time being, you will need to install it manually:
- Obtain the RIPS plugin file from files.ripstech.com.
- Move the plugin file to
<your SonarQube install directory>/extensions/plugins/.
- Restart SonarQube.
- You may have to activate the RIPSQube quality profile for projects to start using the plugin. See the image below for details: simply click on the marked interface elements in the order specified:
Note that you can also associate the quality profile with projects by selecting the quality profile in the project directly. Please refer to the SonarQube documentation for details if you prefer to do it this way. Also see section 'Scan Configuration'.
Alternatively you can also select the RIPS profile as default or add RIPS rules to another PHP profile of your choice.
You can change the general plugin settings by going to
Administration and selecting
RIPS on the left side of the screen when you are in the
APIv2 Base URL: define the API's base URL of the RIPS instance you are going to use.
In order to scan a project with RIPS you will need to add some configuration parameters to your
sonar.properties file. Following parameters are available:
ripsqube.username(required): Your RIPS API user name.
ripsqube.password(required): Your RIPS API password.
ripsqube.baseUrl(optional): Use this field to overwrite the default API URL for this project only.
ripsqube.applicationId(required): The RIPS application ID with which to associate this SonarQube project.
ripsqube.local(required): Should be set to
ripsqube.storeCode(optional): Set to
trueif you wish to store the code in the RIPS instance,
ripsqube.local=false): Set to
falseif you wish to keep uploads made to a cloud RIPS instance,
obsolete): Should not be used anymore.
ripsqube.blocker(optional): Custom threshold for blocker vulnerabilities.
ripsqube.critical(optional): Custom threshold for critical vulnerabilities.
ripsqube.major(optional): Custom threshold for major vulnerabilities.
ripsqube.analysisDepth(optional): Overwrite default analysis depth (5).
ripsqube.custom(optional): Overwrite default analysis profile.
ripsqube.scanTimeout(optional): Overwrite default scan timeout (5) in hours.
Viewing Scan Results
The scan results can be viewed together with all other project issues in the SonarQube web interface. All issues created by RIPS are vulnerabilities and tagged with the
Not sure how to start a scan? The SonarQube documentation also provides helpful information on this topic: https://docs.sonarqube.org/display/SONAR/Analyzing+Source+Code.
Also see our blog post about the RIPS SonarQube PHP plugin: https://blog.ripstech.com/2017/security-analysis-with-sonarqube-plugin/.