OWASP SonarQube Project

=Main=



{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 * valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

OWASP SonarQube Project
OWASP Sonarqube Project consist to deliver a set of "standard" profile for security, like OWASP Top10 profile, ASVS profiles, PCI-DSS profile,ISO 27034ASC profile, ....who can be used by team with the support of OWASP Community.

Introduction
SonarQube is an open platform to manage code quality. As such, it covers the 7 axes of code quality:

http://www.sonarqube.org/wp-content/themes/sonar/images/7axes.png

More than 20 programming languages are covered through plugins including Java, C#, C/C++, PL/SQL, Cobol, ABAP…

Description
Project will be like the OWASP modsecurity CRS project. Deliver a set of profile who can be recognize by the community as a need for securing their application.

Licensing
OWASP SonarQube Project is free to use. It is licensed under the [ttp://www.apache.org/licenses/LICENSE-2.0 Apache 2.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.


 * valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

What is SonarQube?
OWASP SonarQube provides:


 * A set of quality profile (as SonarQube), mapped to security standards.


 * Some new plugins/rules for SonarQube.

Project Leader
[mailto:sebastien.gioria@owasp.org Sebastien Gioria]

[mailto:freddy.mallet@sonarsource.com Freddy Mallet]

Ohloh

 * valign="top" style="padding-left:25px;width:200px;" |

Email List
Sign Up!

Classifications

 * }

=FAQs=


 * What is the difference with OWASP Top10 plugins for Sonar ?
 * This plugins is a commercial (or could be a community) plugins. We give you the ability with our profile, just to install Sonar and the standard plugins (open-source). MoreOver, we will develops other addons-plugins in the next months.


 * How to help ?
 * Give us your expertise on some langage, or ability to test on some real project our quality profile, or more...


 * Will you plan other langage ?
 * Yes, contact us if you want to know more. And perhaps give us some feedback one some real projects....

= Acknowledgements =

Sponsors :
Advens ; French Experts on application security

SonarSource ; Founder and maintainer of SonarQube

Volunteers
SonarQube is developed by a worldwide team of volunteers. The primary contributors to date have been:

= Road Map and Getting Involved = As of June 2014, the priorities are:

First deliver on Java langage :

that apply to the OWASP Top10 2013. Tag name: "owasp-top10".
 * Deliver for the beginning of Q4 (October) 2014 tag existing FindBugs and SonarQube rules


 * Deliver tags mapping Cert Secure Coding and ISO 27034 ASC for the end of 2014

PCI-DSS requirements with the standard rules of SonarQube.
 * Deliver for 2015 rule tags mapping


 * Deliver for 2015 rule tags mapping OWASP ASVS level (1,2,3,4).

Involvement in the development and promotion of SonarQube is actively encouraged! You do not have to be a security expert in order to contribute.

=Project About=