Output SonarQube reports

insidersec / insider

Static Application Security Testing (SAST) engine focused on covering the OWASP Top 10, to make source code analysis to find vulnerabilities right in the source code, focused on a agile and easy to implement software inside your DevOps pipeline. Support the following technologies: Java (Maven and Android), Kotlin (Android), Swift (iOS), .NET Full Framework, C#, and Javascript (Node.js).

https://insidersec.io

MIT License

505 stars 79 forks source link

Output SonarQube reports #15

Open cynthiabaran opened 4 years ago

cynthiabaran commented 4 years ago

Describe the solution you'd like Insider could generate a SonarQube-compatible report, which should have this format. To achieve this, we will need to assign an unique ID for each rule.

Describe alternatives you've considered Let every rule id have the prefix "insider", and the suffix composed of an abbreviation of the language and an integer, for example, INSIDER-JS1.

Additional context Other SAST tools, such as GoSec, already have this feature. The id of GoSec rules follows the pattern G101

htrgouvea commented 4 years ago

Hi @cynthiabaran,

First of all, I would like to thank you for opening this issue! This kind of functionality is very interesting, I believe that we can work on that... But, if you find it interesting, feel free to open a PR with this implementation, it will be very welcome!

Thx!

cynthiabaran commented 4 years ago

I actually did it 3 days ago, but one day later you guys released v2 😅 Sooo I'll have to rewrite some stuff, but probably I'll be able to contribute. This feature is important for us.

You okay with my suggestion for the naming convention of the rules' ids?

danilodeveloper commented 4 years ago

Hey @cynthiabaran I liked your naming convention sugestion.

What do you think guys @hermescanutodesouza @bieeldeveloper @GouveaHeitor

cynthiabaran commented 4 years ago

Another issue worth discussing is the name of the SonarQube report.

I just noticed that in v2 you've added a timestamp to the name of the report file. That's kind of an issue when adding this tool to automatic CI pipelines, since it requires extra work for the pipeline script to figure out the name of the report to send to SonarQube.

Off the top of my head, I think we could output a fixed filename such as report-sonarqube.json, dropping the timestamp for the SonarQube report. That is easy to implement, and we don't really need an unique timestamp for SonarQube reports since it keeps track of all analysis for us.

Any thoughts?

mattheusv commented 3 years ago

Hi @cynthiabaran , really sorry for delay. About the timestamps on report, the insider have a -force flag that generate reports without timestamp and will override existent report files.

About the sonarqube report, I think that we should create a new flag -format for example, and specify a type of output report, something like this: $ insider -tech javascript -target <dir> -format sonarqube This will generate a report in sonarqube format, if this flag is not informed, we generate the "default" report that we generate today. What do you think? And again, sorry for delay.