SonarQube

You can find out more about our SonarQube plugin in our blog post.

Features

The RIPS SonarQube plugin lets you run scans from SonarQube and imports issues from the corresponding RIPS scans to SonarQube.

To use the RIPS SonarQube plugin within Java or PHP projects, you have to install the associated SonarQube default plugin for the language.

Difference to SonarPHP/Java

SonarPHP/Java does not perform real security analysis but only reports signature matches when suspicious PHP/Java features such as "eval()" are used in your code (see SonarPHP Rules/SonarJava Rules). It does not analyze the data flow of user input into this eval() statement and thus cannot decide if this is an exploitable vulnerability for an attacker that can modify the PHP/Java code that is evaluated, or if it is simply a bad coding practice with static PHP/Java code being evaluated. Hence, SonarPHP/Java cannot report real security issues such as Cross-Site Scripting, SQL injection or any other OWASP Top 10 issues.

You can find more information on how this pattern matching approach compares to our static code analysis approach in our blog post.

SonarQube Setup

  1. Download and install Java 8 JRE (https://www.java.com/).
  2. Download and install SonarQube (https://www.sonarqube.org/downloads/). The plugin was developed for SonarQube version 6.7.1 (LTS) and should work on newer versions. Older versions are currently not supported, although you are free to try them.
  3. Install the SonarPHP/Java plugin (https://docs.sonarqube.org/display/SONAR/Installing+a+Plugin).

Please refer to the SonarQube documentation for more details concerning SonarQube itself: https://docs.sonarqube.org/.

To control access to scanning and amongst others this plugin within SonarQube, please refer to the corresponding pages in the SonarQube documentation: https://docs.sonarqube.org/display/SONAR/Security.

Compatibility

PluginSonarQubeRIPS APIDownload
1.7.4 6.7.x2.x

Link

2.2.1 6.7.x3.xLink

RIPS Plugin Setup

The RIPS plugin for SonarQube is currently not in the SonarQube plugin repository. Hence, at the time being, you will need to install it manually:

  1. Obtain the RIPS plugin file from files.ripstech.com.
  2. Move the plugin file to <your SonarQube install directory>/extensions/plugins/.
  3. Restart SonarQube.
  4. You may have to activate the RIPSQube quality profile for projects to start using the plugin. See the image below for details: simply click on the marked interface elements in the order specified:


Note that you can also associate the quality profile with projects by selecting the quality profile in the project directly. Please refer to the SonarQube documentation for details if you prefer to do it this way. Also see section 'Scan Configuration'.

Alternatively you can also select the RIPS profile as default or add RIPS rules to another PHP profile of your choice.

Plugin Configuration

You can change the general plugin settings by going to Administration and selecting RIPS on the left side of the screen when you are in the Configuration tab.

Configuration Parameters

  • APIv3 Base URL: define the API's base URL of the RIPS instance you are going to use.

Scan Configuration

In order to scan a project with RIPS you will need to add some configuration parameters to your sonar.properties file. Following parameters are available:

  • ripsqube.username (required): Your RIPS user account email.
  • ripsqube.password (required): Your RIPS user account password.
  • ripsqube.baseUrl (optional): Use this field to overwrite the default API URL for this project only.
  • ripsqube.applicationId (required): The RIPS application ID with which to associate this SonarQube project (note: the application must exist and is not automatically created)
  • ripsqube.blocker (optional): Custom threshold for blocker vulnerabilities.
  • ripsqube.critical (optional): Custom threshold for critical vulnerabilities.
  • ripsqube.major (optional): Custom threshold for major vulnerabilities.
  • ripsqube.analysisDepth (optional): Overwrite default analysis depth (5).
  • ripsqube.profileId (optional): Overwrite default analysis profile.
  • ripsqube.scanTimeout (optional): Overwrite default scan timeout (5) in hours.
  • ripsqube.versionPattern (optional): Default value "{isoDateTime}".

The codeStored and uploadRemoved options should be configured in the used profile.

Version Pattern

PatternDescription
{isoDateTime}
Insert timestamp of the scan starting time.
{buildSystem}
Insert "SonarQube".
{buildNumber}
Insert current build number.
{projectKey}
Insert module key.
{branch}
Insert name of current branch. (SonarQube Developer Edtion required)

Viewing Scan Results

The scan results can be viewed together with all other project issues in the SonarQube web interface. All issues created by RIPS are vulnerabilities and tagged with the rips tag.

Not sure how to start a scan? The SonarQube documentation also provides helpful information on this topic: https://docs.sonarqube.org/display/SONAR/Analyzing+Source+Code.

Related

Also see our blog post about the RIPS SonarQube PHP plugin: https://blog.ripstech.com/2017/security-analysis-with-sonarqube-plugin/.