Investigate utility of a Sonarqube plugin

[nazeemkhan77]

Any update on this? I would need the plugin to import the cfn lint reports to SonarQube. Any response would be much appreciated. Thanks.

[ghost]

Hey, we haven't done any work on this since creating the issue. Given you have interest we can bump the priority on this....

[nazeemkhan77]

Sounds good to me. I am sure others also would be interested in the feature.

[pethers]

Happy to help out, find this very nice to have.

Can help out to create prototype for sonarqube 7.7+, thinking generation of the reports are out of scope for the sonarqube plugin.So probably a property "sonar.cfn.nag.reportFiles=comma separated ant pattern or file path" or sonar.cfn.nag.reportDir=path of json report files.

Import the rules below, would be nice to tag according to OWASP 10, SANS 25(cwe) so they show upp in reports https://www.hack23.com/sonar/project/security_reports/owasp_top_10?id=com.hack23.cia%3Acia-all / https://www.hack23.com/sonar/project/security_reports/sans_top_25?id=com.hack23.cia%3Acia-all&showCWE=true . Guess most "A6 - Security Misconfiguration","A10 - Insufficient Logging & Monitoring" or "CWE-732 - Incorrect Permission Assignment for Critical Resource".

WARNING VIOLATIONS: W1 Specifying credentials in the template itself is probably not the safest thing W2 Security Groups found with cidr open to world on ingress. This should never be true on instance. Permissible on ELB W5 Security Groups found with cidr open to world on egress W9 Security Groups found with ingress cidr that is not /32 W10 CloudFront Distribution should enable access logging W11 IAM role should not allow resource on its permissions policy W12 IAM policy should not allow resource W13 IAM managed policy should not allow * resource W14 IAM role should not allow Allow+NotAction on trust permissions W15 IAM role should not allow Allow+NotAction W16 IAM policy should not allow Allow+NotAction W17 IAM managed policy should not allow Allow+NotAction W18 SQS Queue policy should not allow Allow+NotAction W19 SNS Topic policy should not allow Allow+NotAction W20 S3 Bucket policy should not allow Allow+NotAction W21 IAM role should not allow Allow+NotResource W22 IAM policy should not allow Allow+NotResource W23 IAM managed policy should not allow Allow+NotResource W24 Lambda permission beside InvokeFunction might not be what you want? Not sure!? W26 Elastic Load Balancer should have access logging enabled W27 Security Groups found ingress with port range instead of just a single port W28 Resource found with an explicit name, this disallows updates that require replacement of this resource W29 Security Groups found egress with port range instead of just a single port W31 S3 Bucket likely should not have a public read acl W32 CodeBuild project should specify an EncryptionKey value W33 EC2 Subnet should not have MapPublicIpOnLaunch set to true W34 Batch Job Definition Container Properties should not have Privileged set to true

FAILING VIOLATIONS: F1 EBS volume should have server-side encryption enabled F2 IAM role should not allow action on its trust policy F3 IAM role should not allow action on its permissions policy F4 IAM policy should not allow action F5 IAM managed policy should not allow action F6 IAM role should not allow Allow+NotPrincipal in its trust policy F7 SQS Queue policy should not allow Allow+NotPrincipal F8 SNS Topic policy should not allow Allow+NotPrincipal F9 S3 Bucket policy should not allow Allow+NotPrincipal F10 IAM user should not have any inline policies. Should be centralized Policy object on group F11 IAM policy should not apply directly to users. Should be on group F12 IAM managed policy should not apply directly to users. Should be on group F13 Lambda permission principal should not be wildcard F14 S3 Bucket should not have a public read-write acl F15 S3 Bucket policy should not allow action F16 S3 Bucket policy should not allow principal F18 SNS topic policy should not allow principal F20 SQS Queue policy should not allow action F21 SQS Queue policy should not allow * principal F22 RDS instance should not be publicly accessible F23 RDS instance master user password must be Ref to NoEcho Parameter. Default credentials are not recommended F24 ElastiCache ReplicationGroup should have encryption enabled for in transit F25 ElastiCache ReplicationGroup should have encryption enabled for at rest F26 RDS DBCluster should have StorageEncrypted enabled F27 EFS FileSystem should have encryption enabled F28 Redshift Cluster should have encryption enabled F29 Workspace should have encryption enabled F30 Neptune database cluster storage should have encryption enabled F31 DirectoryService::SimpleAD should use a parameter for password, with NoEcho F665 WebAcl DefaultAction should not be ALLOW F1000 Missing egress rule means all traffic is allowed outbound. Make this explicit if it is desired configuration F2000 User is not assigned to a group

Some other plugins that generate issues from report https://github.com/pethers/zap-sonar-plugin / https://github.com/SonarSecurityCommunity/dependency-check-sonar-plugin .

[pethers]

started a poc at https://github.com/pethers/sonarqube-cloudformation-plugin, still WIP but will spend some more time on it later this week.

[pethers]

Moved to https://github.com/Hack23/sonarqube-cloudformation-plugin, still need to parse report and create issues but cloudformation language,rules and quality profile in place.

[pethers]

Basic example running at https://www.hack23.com/sonar/project/issues?id=com.hack23.sonar%3Asonar-cloudformation-plugin&languages=cfn&resolved=false

[jesseadams]

@pethers Nice work on this! Please let us know if you need any support from us. I'd personally like to use this when it is "ready" and add a link to your project in our README.

[pethers]

@jesseadams have a few issues, currently I use the property sonar.cfn.nag.reportFiles=src/test/resources/aws-cross-account-manager-master.yml.nag , only uses suffix .nag on the template so I have a way of determine what template file the report is for. Required to link issues to template/line number.

Will add support for cfn_nag_scan format as well, easier when there is a filename attribute.

Plan to release first version the next few days, need to add some more test and handle properties to specify multiple reports.

https://github.com/Hack23/sonarqube-cloudformation-plugin/blob/master/src/main/resources/cloudformation-rules.xml rule names also need to cleaned up, just used the cfn_nag description for now.

[pethers]

Moved to https://github.com/Hack23/sonar-cloudformation-plugin , to comply with sonarqube naming standard and example report at https://www.hack23.com/sonar/project/issues?id=com.hack23.sonar%3Asonar-cloudformation-plugin&resolved=false&types=VULNERABILITY .

[pethers]

https://community.sonarsource.com/t/sonar-cloudformation-plugin-1-0-0-beta-released/10351

Hi,

Written a first version of Cloudformation template rules, currently just parses the reports from cfn-nag (https://github.com/stelligent/cfn_nag) and links the issues to the cloudformation template.

Can be downloaded from https://oss.sonatype.org/service/local/repositories/releases/content/com/hack23/sonar/sonar-cloudformation-plugin/1.0.0.beta/sonar-cloudformation-plugin-1.0.0.beta.jar , but pushed it to maven central so should show up there soon.

Source code : https://github.com/Hack23/sonar-cloudformation-plugin Documentation : https://hack23.github.io/sonar-cloudformation-plugin/ Sonarqube : https://www.hack23.com/sonar/dashboard?id=com.hack23.sonar%3Asonar-cloudformation-plugin

Only support Sonarqube 7.7+ and currently only rules from cfn_nag.

Happy to receive any feedback, and please report any issues or feature request at github

Best regards James Pether Sörling

[munntjlx]

I will begin using this. Thanks for the work!

[pethers]

a few more releases done to support more cfn-nag rules https://github.com/Hack23/sonar-cloudformation-plugin/releases

Release 1.0.1 New rules added from cfn-nag

W38 IOT policy should not allow action W39 IoT policy should not allow resource W40 Security Groups egress with an IpProtocol of -1 found W41 S3 Bucket should have encryption option set W42 Security Groups ingress with an ipProtocol of -1 found

@pethers pethers released this on Jul 20 · 22 commits to master since this release

New rules added F38 IAM role should not allow resource with PassRole action on its permissions policy F39 IAM policy should not allow resource with PassRole action F40 IAM managed policy should not allow a * resource with PassRole action F50 Amplify App BasicAuthConfig Password must not be a plaintext string or a Ref to a NoEcho Parameter with a Default value.

W36 Security group rules without a description obscure their purpose and may lead to bad practices in ensuring they only allow traffic from the ports and sources/destinations required. W37 EBS Volume should specify a KmsKeyId value

Release 1.0.0.beta3 Add support for new cfn-nag rules …

F32 EFS FileSystem should have encryption enabled F33 ElastiCache ReplicationGroup should have encryption enabled for in transit F34 RDS DB Cluster master user password must be Ref to NoEcho Parameter. Default credentials are not recommended F35 Redshift Cluster master user password must be Ref to NoEcho Parameter. Default credentials are not recommended F36 Directory Service Microsoft AD must not be a plaintext string or a Ref to a NoEcho Parameter with a Default value. F37 DMS Endpoint must not be a plaintext string or a Ref to a NoEcho Parameter with a Default value.

[pethers]

Releases at https://github.com/Hack23/sonar-cloudformation-plugin/releases , jar:s published to maven-central

[pethers]

@erickascic this can be closed, not in the marketplace https://community.sonarsource.com/t/new-release-sonar-cloudformation-plugin-1-0-2/14021 but can be installed manually.

[pethers]

The plugin is now available from Sonarqube market place, https://docs.sonarqube.org/latest/instance-administration/plugin-version-matrix/

[pethers]

Just released https://github.com/Hack23/sonar-cloudformation-plugin/releases/tag/sonar-cloudformation-plugin-2.0.8 .

Think this issue can be closed now.