mitre / heimdall2

Heimdall Enterprise Server 2 lets you view, store, and compare automated security control scan results.
Other
207 stars 59 forks source link

sonarqube converter should pull in bugs/codesmells/etc and not just vulnerabilities #2401

Open dc3a42 opened 2 years ago

dc3a42 commented 2 years ago

[This is Dave Anderson, dca@mitre.org]

I pulled a test repo (angular) and ran a scan using the CLI, supported by a local Sonarqube Docker image. I can see the new project and 322 "bugs" listed in the dashboard, 190 "Major", 132 "Minor". When I run the converter heimdall_tools sonarqube_mapper --name=angular --output angular.hdf --api-url=http://localhost:9000/api --auth=user:pass it completes without complaint but I get a very sparse JSON output:

{"platform":{"name":"Heimdall Tools","release":"1.3.48","target_id":""},"version":"1.3.48","s
tatistics":{"duration":null},"profiles":[{"name":"SonarQube Scan","version":"9.2.1.49989","ti
tle":"SonarQube Scan of Project: angular","maintainer":null,"summary":"SonarQube Scan of Proj
ect: angular","license":null,"copyright":null,"copyright_email":null,"supports":[],"attribute
s":[],"depends":[],"groups":[],"status":"loaded","controls":[],"sha256":"fe77bbc6aef9064832a8
4c83e6be3b1fd59bf5fd06c2d3bec493f8beb6ccc736"}]}

This is with current versions of the server and CLI. I am pretty sure I got the project name and api-url right, as incorrect versions gave me errors. Anything obvious I need to do differently to get the full list of 322 findings? There doesn't seem to be a --verbose flag.

And a follow-up question: how can I use a token instead of the --auth=user:password commandline option? More broadly, I haven't been able to find any API documentation for Sonarqube -- any pointers? I'd be happy to dig deeper into this, if I knew what was supposed to work on the SQ side.

dc3a42 commented 2 years ago

More API query detail:

Fetching from endpoint /issues/search
Query params {"componentKeys":"angular","resolved":"false","types":"VULNERABILITY","ps":100,"p":1}

this looks plausible to me.

I finally found the web api doc -- it's apparently not published online but available inside the server! I see this action requires "browse" permission, but the project is "public" and anyone can browse.

Amndeep7 commented 2 years ago

Hi Dave, the sonarqube mapper currently only moves over vulnerabilities since that's the security priority. We'll welcome any PRs to extend the functionality to support bugs/codesmells/etc as well.

Currently the mapper only supports --auth=username:password. We'd also welcome any PRs to extend the functionality to support tokens too.

Please send mapper functionality PRs to the js/typescript version that we are transitioning to here. We've got most of the mappers transitioned, and the sonarqube one should be merged in today but is currently here.

It seems like the sonarqube api is documented within the application itself, which seems pretty frustrating, though you should be able to pull it out from the container by accessing the gui or calling the /web_api endpoint.

SonarQube provides web API to access its functionalities from applications. The web services composing the web API are documented within SonarQube, through the URL /web_api. You can also access the web API documentation from the top bar in SonarQube:

Nice to see that you were able to find the api documentation.

Amndeep7 commented 2 years ago

Tagging in @camdenmoors for the sonarqube ts version.

dc3a42 commented 2 years ago

Thanks, @Amndeep7 this is super helpful. This scan found zero vulnerabilities, which would explain why I'm not seeing any responses. I tweaked the SQ converter to pull bugs too, and got the 322 bugs. Interestingly, 12 of them showed up in heimdall-lite as vulnerabilities. I wonder if they're valid?

I will probably want to extend the SQ converter a little bit, to add options to pull bugs/codesmells, support tokens, and to dump the original SQ output. I'd really rather not submit PR's to code that's in transition, so hopefully you'll be done shortly.

camdenmoors commented 2 years ago

Hi Dave, the Typescript version of the SonarQube mapper is in progress at https://github.com/mitre/heimdall2/pull/1798, the goal is to have that completed today along with a release of Heimdall and HDF-Converters so it can be implemented into heimdall_tools/SAF CLI.

The reason 12 likely showed up in Heimdall is since each finding is a sub-control grouped by the rule name, expanding each rule should give you the individual findings as shown in SonarQube.