Open dc3a42 opened 2 years ago
dc3a42
commented
2 years ago More API query detail:
Fetching from endpoint /issues/search
Query params {"componentKeys":"angular","resolved":"false","types":"VULNERABILITY","ps":100,"p":1}this looks plausible to me.
I finally found the web api doc -- it's apparently not published online but available inside the server! I see this action requires "browse" permission, but the project is "public" and anyone can browse.
Amndeep7
commented
2 years ago Hi Dave, the sonarqube mapper currently only moves over vulnerabilities since that's the security priority. We'll welcome any PRs to extend the functionality to support bugs/codesmells/etc as well.
Currently the mapper only supports --auth=username:password. We'd also welcome any PRs to extend the functionality to support tokens too.
Please send mapper functionality PRs to the js/typescript version that we are transitioning to here. We've got most of the mappers transitioned, and the sonarqube one should be merged in today but is currently here.
It seems like the sonarqube api is documented within the application itself, which seems pretty frustrating, though you should be able to pull it out from the container by accessing the gui or calling the /web_api endpoint.
SonarQube provides web API to access its functionalities from applications. The web services composing the web API are documented within SonarQube, through the URL /web_api. You can also access the web API documentation from the top bar in SonarQube:
Nice to see that you were able to find the api documentation.
Amndeep7
commented
2 years ago Tagging in @camdenmoors for the sonarqube ts version.
dc3a42
commented
2 years ago Thanks, @Amndeep7 this is super helpful. This scan found zero vulnerabilities, which would explain why I'm not seeing any responses. I tweaked the SQ converter to pull bugs too, and got the 322 bugs. Interestingly, 12 of them showed up in heimdall-lite as vulnerabilities. I wonder if they're valid?
I will probably want to extend the SQ converter a little bit, to add options to pull bugs/codesmells, support tokens, and to dump the original SQ output. I'd really rather not submit PR's to code that's in transition, so hopefully you'll be done shortly.
camdenmoors
commented
2 years ago Hi Dave, the Typescript version of the SonarQube mapper is in progress at https://github.com/mitre/heimdall2/pull/1798, the goal is to have that completed today along with a release of Heimdall and HDF-Converters so it can be implemented into heimdall_tools/SAF CLI.
The reason 12 likely showed up in Heimdall is since each finding is a sub-control grouped by the rule name, expanding each rule should give you the individual findings as shown in SonarQube.
[This is Dave Anderson, dca@mitre.org]
I pulled a test repo (angular) and ran a scan using the CLI, supported by a local Sonarqube Docker image. I can see the new project and 322 "bugs" listed in the dashboard, 190 "Major", 132 "Minor". When I run the converter
heimdall_tools sonarqube_mapper --name=angular --output angular.hdf --api-url=http://localhost:9000/api --auth=user:passit completes without complaint but I get a very sparse JSON output:This is with current versions of the server and CLI. I am pretty sure I got the project name and api-url right, as incorrect versions gave me errors. Anything obvious I need to do differently to get the full list of 322 findings? There doesn't seem to be a --verbose flag.
And a follow-up question: how can I use a token instead of the
--auth=user:passwordcommandline option? More broadly, I haven't been able to find any API documentation for Sonarqube -- any pointers? I'd be happy to dig deeper into this, if I knew what was supposed to work on the SQ side.