Added SonarQube API report

[flopezluksenberg]

In this PR I'm creating a Sonar Qube API report plugin.

Before reading the code, please read the following considerations:

• Sonar Qube does not include some export reports as XML or JSON in the UI. For that reason, I've checked how it was implemented in DefectDojo and I worked based on that.
• Before getting into DefectDojo code, I tried to find the history of the SonarQube report and how it was implemented. I found the following discussions: https://jira.sonarsource.com/browse/MMF-1672 and https://github.com/DefectDojo/django-DefectDojo/issues/810
• Wrapping up the previous discussions, the SonarQube team wanted to create the plugin in DefectDojo using their generic import but it finally wasn't implemented by them because DefectDojo detects that generic import couldn't say that the report belongs to SonarQube. It means that integration could be SonarQube --> Defect Dojo
• Then SonarQube team suggested let the DefectDojo team create the plugin using Sonar Qube API giving them some explanation about how the API work (read the JIRA ticket)
• DefectDojo implemented two versions on SonarQube report: One of them using the API and the other version using an external SonarQube HTML report (https://github.com/soprasteria/sonar-report).

Knowing the context I followed these considerations:

• This plugin will not connect with SonarQubeAPI because it needs the API Key, it only will read the JSON provided after making the request to the API
• The previous note means that the consumer needs to understand the SonarQube API and needs to know that the max page size is 500 items, so maybe needs to automate the pagination behavior generating one big JSON file or generating multiple JSON files to be uploaded in Faraday!
• You can see a JSON example in this url
• I skipped the implementation of the report based on HTML SonarQube report because that SonarQube plugin uses the SonarQube API too.

Some specific comments about the implementation:

• Severities and Status between Faraday and SonarQube are not the same, so in the plugin file I created some mapping that could change if you think that they are not correct. You can see this URL with SonarQube data
• I skipped all issue that is not VULNERABILITY (SonarQube recognizes Code Smells, bugs, and vulnerabilities)

Let me know if you need more info about it.

PD: Here you can see an image of the uploaded report

Thanks

[aenima-x]

@flopezluksenberg great, If you want now with this plugin it could be possible to a write a faraday executor (I don't know if you know that https://github.com/infobyte/faraday_agent_dispatcher), the executor and connect to the api and use the plugin to send the info to faraday.

I will that a look at it, it maybe take some time for you to see that the PR is merged because we will merge it first to our private repo

[aenima-x]

@flopezluksenberg I have made some changes to have a better fit with our data model, and fix the report detection. When its ready the mirror to github from our repo I will merge it.

Thanks

[flopezluksenberg]

Hi @aenima-x , thank you for your feedback. I like the idea about create a custom dispatcher. Let me see how it works and I will implement it.

[aenima-x]

@flopezluksenberg The plugin is merged, I've made a few changes. One is the pluginid (to sonarqubeAPI), so remember to change it in your executor