OWASP SonarQube Project

=Main=



{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 * valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

NOTE: If you are interested in contributing to open source static vulnerability analysis for Java, OWASP recommends you contribute to the Find Security Bugs Project run by Philippe Arteau. FindSecBugs is a FindBugs plugin. Philippe also runs the SonarQube FindBugs Plugin Project, which bundles both FindBugs and FindSecBugs into a plugin that can be used with SonarQube and in fact comes bundled with SonarQube by default. So, by contributing to the Find Security Bugs project, you are helping both the Find Bugs and SonarQube user communities at the same time.

Historical Info:

The first goal of the OWASP SonarQube Project is to a create a referential of check specifications targeting OWASP vulnerabilities and that can be detected by SAST tools (Static Application Security Testing). From there, the second goal is to provide a reference implementations of most of those checks in the Open Source SonarQube language analysers (Java, JavaScript, PHP and C#).

Any contributor is highly welcome to participate to this community effort and participating is pretty easy:
 * Each idea of a new potential valuable check should be sent to this project mailing list.
 * Then some discussions might start to challenge the idea
 * At the end of discussions, a specification of the check is created in the following JIRA project by one of the leader of this project : http://jira.sonarsource.com/browse/RSPEC.
 * To suggest a rule, send as much as possible from the following list:
 * description - What should be done/not done, and why
 * noncompliant code example in the language of your choice
 * remediation action - This can be as simple as "Don't do X."

The "News" is updated as soon as :
 * A check specification is created
 * A SonarQube analysers containing some stuff relating to this OWASP SonarQube project is released.

About SonarQube
SonarQube is an Open Source platform for managing code quality. This platform can be extended with Open Source or commercial plugins, see for instance the Java, JavaScript, PHP and C# plugins.

Licensing
OWASP SonarQube Project is free to use. It is licensed under the Apache 2.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.


 * valign="top" style="padding-left:25px;width:200px;" |

Project Leader
[mailto:vinod@owasp.org Vinod Anandan]

Email List
Sign Up!

Archives

Repository
Here are the repositories for the open source plugins related to this project. Most of them provide security-related rules:
 * Java
 * JavaScript
 * PHP
 * C#
 * Widget Lab provides security-related SonarQube dashboard widgets

Classifications

 * }

= News =
 * 26 Mar 2016: Release of the SonarQube C# plugin version 5.0 adds four new bug and security-related rules:
 * S1944 Inappropriate casts should not be made
 * S3466 Optional parameters should be passed to "base" calls
 * S3449 Right operands of shift operators should be integers
 * S2184 Result of integer division should not be assigned to floating point variable

This last is actually a rule template, which will allow users to raise issues appropriately on their custom Resources.
 * 25 Mar 2016: Release of the SonarQube Java plugin version 3.12 adds three new bug and security-related rules:
 * S3066 "enum" fields should not be publicly mutable
 * S3034 Raw byte values should not be used in bitwise operations in combination with shifts
 * S3546 Resources as defined by user should be closed


 * 6 Feb 2016: Release of the SonarQube Java plugin version 3.10 adds seven new bug and security-related rules:
 * S2142 "InterruptedException" should not be ignored
 * S3438 "SingleConnectionFactory" instances should be set to "reconnectOnException"
 * S3281 Default EJB interceptors should be declared in "ejb-jar.xml"
 * S2639 Inappropriate regular expressions should not be used
 * S3369 Security constraints should be defired
 * S3374 Struts validation forms should have unique names
 * S3355 Web applications should use validation filters


 * 13 Jan 2016: Release of the SonarQube JavaScript plugin version 2.10 adds four new bug detection rules:
 * RSPEC-2234 Parameters should be passed in the correct order]
 * RSPEC-3001 "delete"should be used only with objects
 * RSPEC-2681 Multiline blocks should be enclosed in curly braces
 * RSPEC-3403 The identity operator ("===") should not be used with dissimilar types


 * 12 Nov 2015: Release of the SonarQube PHP plugin version 2.7 adds three new bug detection rules.


 * 7 Oct 2015: Release of the SonarQube Java plugin version 3.6 adds 14 new rules including four related to CWE or security:
 * RSPEC-2653 Web applications should have a "main" method
 * RSPEC-2221 "Exception" should not be caught when not required by called methods
 * RSPEC-3318 Untrusted data should not be stored in sessions
 * RSPEC-1845 Dead stores should be removed


 * 2 Sept 2015: Release of the SonarQube JavaScript plugin version 2.8 improves several rules and adds 5 new rules, all related to bugs or security, including:
 * RSPEC-905 Non-empty statements should change control flow or have at least one side effect
 * RSPEC-3271 Local storage should not be used
 * RSPEC-2611 Untrusted content should not be included


 * 25 Aug 2015: Release of the SonarQube Java plugin version 3.5 improves a number of existing rules, and adds 6 new rules, including 2 security-related rules:
 * RSPEC-2384 Classes should not be loaded dynamically
 * RSPEC-2386 Mutable fields should not be "public static"


 * 9 July 2015: Release of the SonarQube Java plugin version 3.4 adds 17 new rules, including 2 security-related rules:
 * RSPEC-2384 Mutable members should not be stored or returned directly
 * RSPEC-2976 "File.createTempFile" should not be used to create a directory


 * 1 July 2015: Release of the SonarQube JavaScript plugin version 2.7 adds 6 new rules, including 2 bug-related rules, 1 CWE-related rule, and 2 rules directly related to security
 * RSPEC-930 The number of arguments passed to a function shall match the number of parameters
 * RSPEC-2819 Cross-document messaging domains should be carefully restricted
 * RSPEC-2817 Web SQL databases shoudl not be used


 * 9 June 2015: Release of the SonarQube PHP plugin version 2.6 adds 5 new rules, including 1 CWE-related rule:
 * RSPEC-2068 Credentials should not be hard-coded


 * 19 May 2015: Release of the SonarQube Java plugin version 3.3 adds 7 new rules, including 4 related to bug detection.


 * 19 May 2015: Release of the SonarQube PHP plugin version 2.5 adds 7 new rules, including 5 related to bug detection and error handling.


 * 30 April 2015: Release of the SonarQube Java plugin version 3.2 adds a rule to find unclosed resources, which can help prevent DoS attacks.


 * 23 April 2015: Release of the SonarQube JavaScript plugin version 2.5 adds 13 new rules, including seven related to bug or pitfall detection, including
 * RSPEC 1854 Dead stores should be removed
 * RSPEC-888 Equality operators should not be used in "for" loop termination conditions


 * 3 April 2015: Release of the SonarQube Java plugin version 3.1 adds seven new rules related to bug detection, including a powerful new rule able to detect null pointer dereferences.


 * 2 April 2015: Release of the SonarQube JavaScript plugin version 2.4 adds 15 new rules related to bug detection, including one which is also related to security:
 * RSPEC-2228 Console logging should not be used


 * 9 March 2015: With its latest release, version 3.0 on 4 March 2015, the SonarQube Java plugin now covers 50 different CWE items. See the full list


 * 4 March 2015: Release of SonarQube Java 3.0 plugin containing 24 new rules, including 14 related to bug detection and 6 related to the detection of multi-threading issues.


 * 5 February 2015: Release of SonarQube Java 2.9.1 plugin containing 19 new rules including 1 related to OWASP Top 10:
 * RSPEC-2257 Only standard cryptographic algorithms should be used


 * 5 January 2015: Release of SonarQube Java 2.8 plugin containing 25 new rules including several related to OWASP Top 10:
 * RSPEC-2277 Cryptographic RSA algorithms should always incorporate OAEP (Optimal Asymmetric Encryption Padding)
 * RSPEC-2078 Values passed to LDAP queries should be sanitized
 * RSPEC-2076 Values passed to OS commands should be sanitized
 * RSPEC-2278 DES (Data Encryption Standard) and DESede (3DES) should not be used


 * 12 December 20014 : Release of SonarQube Java 2.7 plugin containing 26 new rules and 7 relating to OWASP TOP 10
 * RSPEC-2068 Credentials should not be hard-coded
 * RSPEC-2245 Pseudorandom number generators (PRNGs) should not be used in secure context
 * RSPEC-2255 Cookies should not be used to store sensitive information
 * RSPEC-2089 HTTP referers should not be relied on
 * RSPEC-2070 SHA-1 and MD5 hash algorithms should not be used
 * RSPEC-2254 "HttpServletRequest.getRequestedSessionId" should not be used
 * RSPEC-2258 "javax.crypto.NullCipher" should not be used for anything other than testing


 * 10 December 2014 : 2 new rules specified
 * RSPEC-2278 DES (Data Encryption Standard) and DESede (3DES) should not be used
 * RSPEC-2277 Cryptographic RSA algorithms should always incorporate OAEP (Optimal Asymmetric Encryption Padding)


 * 3 December 2014 : 4 new rules specified
 * RSPEC-2258	"javax.crypto.NullCipher" should not be used for anything other than testing
 * RSPEC-2257	Only standard cryptographic algorithms should be used
 * RSPEC-2255	Cookies should not be used to store sensitive information
 * RSPEC-2254	"HttpServletRequest.getRequestedSessionId" should not be used


 * 6 November 2014 : Project presentation at Application Security Forum West Switzerland


 * 1 November 2014 : new "owasp-top10" tag in the "Rules" space to quickly search for OWASP Top 10 relating rules (mainly Findbugs rules)
 * RSPEC-2077	Values passed to SQL commands should be sanitized


 * 2 October 2014 : 2 new rules specified
 * RSPEC-2092	Cookies should be "secure"
 * RSPEC-2091	Values passed to XPath expressions should be sanitized
 * RSPEC-2089	HTTP referers should not be relied on
 * RSPEC-2087	Weak encryption should not be used
 * RSPEC-2086	Values passed to XQuery commands should be sanitized
 * RSPEC-2085	Values passed to HTTP redirects should be neutralized
 * RSPEC-2084	Messages output from a servlet "catch" block should be invariable
 * RSPEC-2083	Values used in path traversal should be neutralized


 * 1 October 2014 : Matching most of the SonarQube rules to the MITRE CWE referential to ease the tagging of "owasp-top10" relating rules


 * 11 September 2014 : Project as been presented at OWASP France Meeting. See Air Mozilla recording

=FAQs=


 * How to help ?
 * Give us your expertise on some langage, or ability to test on some real project our rules, or more...


 * Will you plan other langage ?
 * Yes, contact us if you want to know more. And perhaps give us some feedback one some real projects....

= Acknowledgements =

Sponsors :
AppSec Blog ; AppSecFR Coach - Sébastien Gioria Consulting

SonarSource ; Founder and maintainer of SonarQube

=Project About=