OWASP SonarQube Project

=Main=



{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 * valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

OWASP SonarQube Project
OWASP Sonarqube Project is intended to track the implementation in SonarQube langauge plugins of security rules, like those in the OWASP Top10, ASVS, PCI-DSS, ISO 27034ASC, &etc.

Introduction to SonarQube
SonarQube is an open platform for managing code quality. As such, it covers the 7 axes of code quality:

http://www.sonarqube.org/wp-content/themes/sonar/images/7axes.png

More than 20 programming languages are covered through plugins, including: Java, C#, C/C++, PL/SQL, Cobol, ABAP, …

Goal
Deliver a set of rules marked with relevant tags (E.G. owasp-top10, cwe, sans-top25) to make adoption of security rules as painless as possible.

Licensing
OWASP SonarQube Project is free to use. It is licensed under the [ttp://www.apache.org/licenses/LICENSE-2.0 Apache 2.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.


 * valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

November 2014
We've added an "owasp-top10" tag to existing rules, mainly in the FindBugs plugins.

October 2014
We've mapped the existing SonarQube rule specifications to CWE.


 * valign="top" style="padding-left:25px;width:200px;" |

Project Leader
[mailto:sebastien.gioria@owasp.org Sebastien Gioria]

[mailto:freddy.mallet@sonarsource.com Freddy Mallet]

[mailto:ann.campbell@sonarsource.com G. Ann Campbell]

Open HUB
SonarQube rating on Open HUB

Email List
Sign Up! Archives

Classifications

 * }

= News =


 * 1 December 2014 : +20 rules relating to OWASP Top 10 and targeting Java already specified in the SonarSource Rules Repository


 * 6 November 2014 : Project presentation at Application Security Forum West Switzerland


 * 1 November 2014 : new "owasp-top10" tag in the "Rules" space to quickly search for OWASP Top 10 relating rules (mainly Findbugs rules)


 * 1 October 2014 : Matching most of the SonarQube rules to the MITRE CWE referential to ease the tagging of "owasp-top10" relating rules


 * 11 September 2014 : Project as been presented at OWASP France Meeting. See Air Mozilla recording

=FAQs=


 * How do I use the owasp-top10 tag?
 * Perform a rule search for tag=owasp-top10. If you have the proper permissions, you can use the bulk change options to activate the results in your profiles.


 * How to help ?
 * Give us your expertise on some langage, or ability to test on some real project our rules, or more...


 * Will you plan other langage ?
 * Yes, contact us if you want to know more. And perhaps give us some feedback one some real projects....

= Acknowledgements =

Sponsors :
Advens ; French Experts on application security

SonarSource ; Founder and maintainer of SonarQube

Volunteers
SonarQube is developed by a worldwide team of volunteers. The primary contributors to date have been:

= Road Map and Getting Involved = As of June 2014, the priorities are:

First deliver on Java langage :


 * Deliver tags mapping Cert Secure Coding and ISO 27034 ASC for the end of 2014


 * Deliver for 2015 rule tags mapping PCI-DSS requirements with the standard rules of SonarQube.


 * Deliver for 2015 rule tags mapping OWASP ASVS level (1,2,3,4).

Involvement in the development and promotion of SonarQube is actively encouraged! You do not have to be a security expert in order to contribute.

=Project About=