spotbugs / sonar-findbugs

SpotBugs plugin for SonarQube
357 stars 136 forks source link

Scala/FindSecBugs Rules not being imported #438

Closed skysbsb closed 2 years ago

skysbsb commented 2 years ago

Issue Description

Hi everyone.

I am trying to use sonar-scanner to import a SpotBugs.xml output file from a manually SpotBugs run of a Scala only project to SonarQube.

This website contains a list of all possible bugs that findsecbugs can find: https://find-sec-bugs.github.io/bugs.htm

When I try to use sonar-scanner to import a previous gerenated SpotBugs.xml file from a Scala project, I get these output errors:

05:20:36.269 INFO: Loading findbugs plugin: /usr/src/.scannerwork/findbugs/findsecbugs-plugin.jar
05:20:36.295 INFO: Findbugs output report: /usr/src/.scannerwork/findbugs-result.xml
05:20:36.640 INFO: FindBugs report is already generated /usr/src/SpotBugs.xml. Reusing the report.
05:20:37.151 WARN: Findbugs rule 'PREDICTABLE_RANDOM_SCALA' is not active in Sonar.
05:20:37.153 WARN: Findbugs rule 'PREDICTABLE_RANDOM_SCALA' is not active in Sonar.
05:20:37.157 WARN: Findbugs rule 'PREDICTABLE_RANDOM_SCALA' is not active in Sonar.
05:20:37.180 WARN: Findbugs rule 'PREDICTABLE_RANDOM_SCALA' is not active in Sonar.
05:20:37.180 WARN: Findbugs rule 'PREDICTABLE_RANDOM_SCALA' is not active in Sonar.
05:20:37.201 WARN: Findbugs rule 'PREDICTABLE_RANDOM_SCALA' is not active in Sonar.
05:20:37.201 WARN: Findbugs rule 'PREDICTABLE_RANDOM_SCALA' is not active in Sonar.
05:20:37.203 WARN: Findbugs rule 'PREDICTABLE_RANDOM_SCALA' is not active in Sonar.
05:20:37.218 WARN: Findbugs rule 'PREDICTABLE_RANDOM_SCALA' is not active in Sonar.
05:20:37.218 WARN: Findbugs rule 'PREDICTABLE_RANDOM_SCALA' is not active in Sonar.
05:20:37.218 INFO: Sensor FindBugs Sensor [findbugs] (done) | time=7392ms

This is my sonar-project.properties file, inside the project directory:

sonar.projectKey=scala-test
sonar.projectVersion=1.0-SNAPSHOT
sonar.sources=src
sonar.java.binaries=**/target/scala-2.13/classes
sonar.sourceEncoding=UTF-8
sonar.inclusions=**/*.scala
sonar.findbugs.reportpaths=SpotBugs.xml
sonar.log.level=DEBUG
sonar.java.libraries=.sbt-cache/**/*.jar
sonar.login=24xxx6

I think that SonarQube with FindBugs (+FindSecBugs) plugins recognizes every rule, except those listed as SCALA?!

Predictable pseudorandom number generator (Scala) (PREDICTABLE_RANDOM_SCALA)
Potential Path Traversal using Scala API (file read) (SCALA_PATH_TRAVERSAL_IN)
Potential Command Injection (Scala) (SCALA_COMMAND_INJECTION)
Potential Scala Slick Injection (SCALA_SQL_INJECTION_SLICK)
Potential Scala Anorm Injection (SCALA_SQL_INJECTION_ANORM)
Potential information leakage in Scala Play (SCALA_SENSITIVE_DATA_EXPOSURE)
Scala Play Server-Side Request Forgery (SSRF) (SCALA_PLAY_SSRF)
Potential XSS in Scala Twirl template engine (SCALA_XSS_TWIRL)
Potential XSS in Scala MVC API engine (SCALA_XSS_MVC_API)

There is no rule PREDICTABLE_RANDOM_SCALA in SonarQube (+Findbugs plugin) rules, only PREDICTABLE_RANDOM which is related to Java: image

I don't know if this is a expected issue.

Are Scala rules not imported by design using Findbugs+FindSecBugs plugin installed from SonarQube marketplace?

If this is the case, there is any roadmap for this issue? There is any workaround that I can follow to circumvent this problem?

Thanks in advance for any help.

Environment

Component Version
SonarQube Community Edition Version 9.2.4 (build 50792)
Sonar-FindBugs 4.0.5 (SpotBugs 4.5.0)
SonarScanner 4.6.2.2472
Java 11.0.12 Alpine (64-bit)
Linux 4.18.0-348.2.1.el8_5.x86_64 amd64
05:17:09.431 INFO: Load/download plugins (done) | time=143ms
05:17:09.506 DEBUG: Plugins:
05:17:09.506 DEBUG:   * Dependency-Check 2.0.8 (dependencycheck)
05:17:09.506 DEBUG:   * Python Code Quality and Security 3.8.0.8883 (python)
05:17:09.506 DEBUG:   * Go Code Quality and Security 1.8.3.2219 (go)
05:17:09.506 DEBUG:   * JaCoCo 1.1.1.1157 (jacoco)
05:17:09.506 DEBUG:   * Kotlin Code Quality and Security 2.7.0.948 (kotlin)
05:17:09.506 DEBUG:   * IaC Code Quality and Security 1.4.0.1294 (iac)
05:17:09.506 DEBUG:   * JavaScript/TypeScript Code Quality and Security 8.6.0.16913 (javascript)
05:17:09.507 DEBUG:   * Ruby Code Quality and Security 1.8.3.2219 (ruby)
05:17:09.507 DEBUG:   * Scala Code Quality and Security 1.8.3.2219 (sonarscala)
05:17:09.507 DEBUG:   * C# Code Quality and Security 8.32.0.39516 (csharp)
05:17:09.507 DEBUG:   * Findbugs 4.0.5 (findbugs)
05:17:09.507 DEBUG:   * Java Code Quality and Security 7.5.0.28054 (java)
05:17:09.507 DEBUG:   * HTML Code Quality and Security 3.4.0.2754 (web)
05:17:09.507 DEBUG:   * Flex Code Quality and Security 2.6.2.2641 (flex)
05:17:09.507 DEBUG:   * XML Code Quality and Security 2.4.0.3273 (xml)
05:17:09.507 DEBUG:   * PHP Code Quality and Security 3.21.2.8292 (php)
05:17:09.507 DEBUG:   * VB.NET Code Quality and Security 8.32.0.39516 (vbnet)
05:17:09.507 DEBUG:   * Configuration detection fot Code Quality and Security 1.1.0.185 (config)

Others relevant parts of the sonar-scanner output:

05:17:16.449 INFO: Sensor Scala Sensor [sonarscala]
05:17:16.458 INFO: 4112 source files to be analyzed
05:17:16.817 INFO: Load project repositories
05:17:16.994 DEBUG: GET 200 http://xxx/batch/project.protobuf?key=xxx | time=177ms
05:17:17.025 INFO: Load project repositories (done) | time=208ms

Update:

I saw this commit https://github.com/spotbugs/sonar-findbugs/commit/526ca6b29fae2684f86b1deba074a4be8a05b67e and now I have sure that this is a past design decision to exclude SCALA rules from the plugin... but i didn't understood why?! Can I edit this file and somehow activate those rules manually?

  static exclusions = ['CUSTOM_INJECTION',
                       'SCALA_SENSITIVE_DATA_EXPOSURE',
                       'SCALA_PLAY_SSRF',
                       'SCALA_XSS_TWIRL',
                       'SCALA_XSS_MVC_API',
                       'SCALA_PATH_TRAVERSAL_IN',
                       'SCALA_COMMAND_INJECTION',
                       "SCALA_SQL_INJECTION_SLICK",
                       "SCALA_SQL_INJECTION_ANORM",
                       "PREDICTABLE_RANDOM_SCALA"]
gtoison commented 2 years ago

As you've seen the scala rules are explicitely excluded when building the metadata that the plugin will import into SonarQube. The way it works is that a Groovy script is used to generate the XML metadata files in a format that can be loaded into SonarQube.

There's an old PR to support Scala but apparently it was not working (https://github.com/spotbugs/sonar-findbugs/pull/237) I have recently started maitaining the plugin but I have not had the time to look into it, I do not use (or know) Scala myself but if you are interested, I think it would be good to add Scala support

gtoison commented 2 years ago

Scala code should be analyzed in the latest version (4.1.3) of the plugin, so please consider testing, this should fix the issue Please let me know if there's any other problem