As a developer I want a secure coding tool to analyse my code so that it adheres to best practices

[StephenCoady]

https://www.sonarqube.org/ is a code analyser which can identify bugs in code and also highlight best practices from a secure coding point of view. I think it would be good to have this tool as part of this project, especially considering it is an identity management solution.

In my opinion this user story could be broken into multiple parts.

1) Analise securitas using all 3 tools mentioned in this issue 2) Provide manual feedback to the team from this first report 3) Fix any and all issues the tools identify 4) Investigate the 3 tools and where/how we could host it or have it hosted 5) Investigate how these services could be integrated into our CI pipeline

I think 4 and 5 are stretch goals and will probably require input from someone with more operations knowledge than myself.

AC

1. We have generated enough information to make an informed decision about which of these tools we will use.
2. We have information about how the tool(s) we select could become integrated into our workflow.
3. Any issues identified by these tools are fixed.

DoD

This issue can be considered done when this repo has had any and all security issues fixed and at least one of the tools investigated is part of the development workflow.

[relrod]

There's also Bandit that we should use. When I turned over the codebase to the fedora-infra org, it passed Bandit on the highest settings. Not sure if that's still the case, haven't checked recently.

[abompard]

Bandit is already checked in the tox.ini file.

I've never tried Sonarqube, but I have also heard of LGTM which I heard gives good results. I'm not against having as many analyzers as is relevant, given the sensitivity of the project. Thanks for opening this ticket Stephen.

[StephenCoady]

I think we should change the steps involved and add a spike to see which tool to use. I have no preference.

Maybe run all 3 and see which provides the most detailed/useful results. I think it would be good to evaluate.

[relrod]

I'm fine with using any and all static analyzers known to be good at tracking down security issues. I don't know if it needs to be a spike, imo just add them and if we run into issues with one of them we can disable it.

[james02135]

I'm going to spend the rest of the week running Sonarqube, Bandit, and LGTM against Securitas and will have more info on Friday.

[sfinn85]

Sounds good @james02135

[sfinn85]

Sprint planning 3 meeting: @StephenCoady to add AC & DOD

[sfinn85]

Daily stand up update: @james02135 working on this with @StephenCoady today regarding the report and will possibly add a report as a comment on this user story or just comment with progress.

Thanks @james02135

[james02135]

TL;DR= Bandit is already installed and working - no need to change, LGTM does the same as Bandit just online, SonarQube(sonarcloud) does a wide range of checks, lets think about adding it

SONARQUBE

OVERVIEW

• Ran sonarqube locally via docker, listening on localhost:9000
• To run a new project, the GUI asks for a project name, a token, and the OS
• a bash command is returned that needs to be entered into the base folder of the project
• GUI automatically updated with results

APPLICATION

• 6 different categories are displayed for the quality of the code
  • Quality Gate: How the code is rated
  • Reliability: How many bugs were found in the code
  • Security: Any security related issues found
  • Maintainability: Code smells and tech debt
  • Coverage: How well the code is tested, displayed in percentage
  • Duplications: Any duplicate code
• User can click into each category and discover where in the code the issue is, any fix recommendations, and why the issue was flagged
• To re-run the scan, the user needs to run the same bash command and the results automatically show on the GUI along with any changes between the first scan and any further scans
• There is a sonarlint extension in VS Code that shows errors or issues as the code is written

BANDIT

OVERVIEW

• Already checked in Securitas tox.ini file
• Lightweight CLI tool that scans the code for purely security issues, no code coverage, smells, tech debt, etc.

APPLICATION

• Ran the command in the tox.ini file and returned no issues, small summary returned showing how many lines were scanned, issues by severity or confidence
• Ran a simpler command without the restrictions to see what the results would look like, returned 244 different issues all in the CLI along with the summary

LGTM

OVERVIEW

• Online security scanner
• Allows user to link with Github account, scan repos there

APPLICATION

• Ran the scanner against the remote repo of Securitas, returned 8 security alerts
• Overview page gives the user a breakdown of the results
  • languages used
  • code quality grade A-F
  • alerts sorted by severity
  • where in the code the alert was found
  • reason for the alert
  • tags the alert with applicable terms like "maintainability", "useless code", etc
• Can export the alerts to a file
• No apparent ability to re-run the scan

INTEGRATION

• Bandit is already checked, it's a lightweight scanner, no reason to delete it
• LGTM or SonarQube can be added via webhooks to the repo

[james02135]

After researching the 3 tools, it makes the most sense to keep Bandit as it is already integrated into the project and can be run when necessary. Also, add sonarqube to the CI checks via a webhook and use their free hosting site, sonarcloud.io

[sfinn85]

Est S

[sfinn85]

Waiting for Aurelien, to set up as he has permissions

[abompard]

I can do that in the next days when needed, @james02135 just send me the webhook urls when you have them.

[james02135]

https://github.com/apps/sonarcloud @abompard that will have to be configured for "noggin", or "securitas", or whatever it will be named in the end.