search

pumasecurity / puma-scan

Puma Scan is a software security Visual Studio extension that provides real time, continuous source code analysis as development teams write code. Vulnerabilities are immediately displayed in the development environment as spell check and compiler warnings, preventing security bugs from entering your applications.
https://www.pumascan.com
Mozilla Public License 2.0
447 stars 79 forks source link

integrate with sonarqube #53

Closed projectrvce closed 5 years ago

projectrvce commented 5 years ago

I want to integrate this project with sonarqube. Is there any way to do this?

ejohn20 commented 5 years ago

If puma scan is installed via a NuGet package, it appears that Sonar supports importing those warnings: https://docs.sonarqube.org/pages/viewpage.action?pageId=11640944.

ejohn20 commented 5 years ago

Comment from duplicate issue: I actually want to edit this pumasecurity, create nuget package and then integrate it with sonarqube. May I know how can we create nuget package after editing puma security?

ejohn20 commented 5 years ago

We encourage folks to fork our repository, make customizations, and contribute back via a merge request if you'd like to enhance the project.

Are you looking to create a sonar integration only, or do you have also have custom rules that you'd like to integrate as well?

Overall, I would start by looking in the Puma.Security.Parser project, which parses the build results (MSBuild) and pulls out all of the SEC### issues. This project currently exports the data to MSBuild and SARIF formatted results.

This project could easily be enhanced to call the Sonar API and upload the Puma results to a given Sonar project.

ejohn20 commented 5 years ago

Comment from duplicate issue: I actually want to edit this pumasecurity, create nuget package and then integrate it with sonarqube. May I know how can we create nuget package after editing puma security?

Answering your nuget question, the Rules project is configured to build a nuget package during each build. It is output into the Rules/bin/Debug|Release directory.

projectrvce commented 5 years ago

Severity Code Description Project File Line Suppression State Error The command ""C:\Users\meghanar\Downloads\pumascan\puma-scan-2.0.0.1\packages\NuGet.CommandLine.3.4.3\tools\NuGet.exe" pack Diagnostic.nuspec -NoPackageAnalysis -Version 2.0.0.1 -OutputDirectory ." exited with code 3. Puma.Security.Rules C:\Users\meghanar\Downloads\pumascan\puma-scan-2.0.0.1\Rules\Puma.Security.Rules.csproj 400

I am getting this error when i am trying to build the solution. Can you please help me in overcoming this problem?

ejohn20 commented 5 years ago

We just released v2.1.0.0 this morning. I'd recommend pulling the latest code. It is now targeting .NET Standard 2.0 instead of the full framework. This will get us on the same page.

ejohn20 commented 5 years ago

Did you get this integration working? If so, willing to contribute back for other folks? We have had a lot of people ask about how to do this. Even just a write up of how to do it would be very helpful.

projectrvce commented 5 years ago

It was working when I tried it some couple of days back. I never tried after that.