Can SonarQube be used as a Static Application Security Testing (SAST) tool?

sonarqube code-analysis static-analysis sonarqube-scan security-testing
10,714

Solution 1

There is a separate SAST tool released by OWASP team named "OWASP SonarQube". This is developed using the sonarqube tool, but as a SAST tool.

This tool can be integrated with your project build same as the SonarQube integration. So if you are familiar with SonarQube, it will be a straightforward move.

Solution 2

I don't know *heckmarx but if you only filter for vulnerabilities you may only see 33 rules. If you however filter for different standards like SANS, SWE, CERT and the like there are many more: https://www.sonarsource.com/products/codeanalyzers/sonarjava/rules.html#CERT

Also you can add findbugs with the secbugs plugin which has over 125 securitys bug pattern... You may have to deactivate the redundant, though (and it is only for java...)

Share:
10,714
DogJunior
Author by

DogJunior

Updated on June 12, 2022

Comments

  • DogJunior
    DogJunior almost 2 years

    I'm looking for a Static Application Security Testing (SAST) tool and I can't afford the commercial products (eg. Checkmarx).

    SonarQube is a great static code analysis tool but I notice that there is only a few rules of the "Vulnerabilities" type ("Vulnerabilities" equals "Security", am I right?).

    I plan to extend some custom plugins including a lot of vulnerabilities rules (maybe hundreds of rules for C/C++, Java, and other languages that SonarQube supports).

    Is that a practicable way to make SonarQube a "Checkmarx like" tool? Or is SonarQube suitable for static security testing? (I'm not sure if Sonar Scanner is suitable for scanning security problems)

    Thanks a lot!

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Some files not analyzed by Sonar "Invalid character encountered in file"
A "NullPointerException" could be thrown; "context" is nullable here
Why doesn't my sonar scanner run create a report-task.txt file?
Not authorized to execute any sonarqube analysis with sonarqube scanner on Travis CI
How to execute SonarQube scanner in Jenkins Declarative Pipeline without Maven and Docker
Sonarqube : The 'report' parameter is missing
How to set sonar.projectBaseDir in SonarQube Scanner for Jenkins?
SonarQube - Java - Sonar Scanner not analyzing src/test/java folders
SonarQube: Coverage on New Code never calculated
checkstyle + suppression filters