Discover code-level vulnerabilities with SonarQube while leveraging the power of Vulcan Cyber discoverability and automation. In this article, you will find how to connect, locate, and automate SonarQube with Vulcan Cyber.
Prerequisites and User Permissions
User Permissions
Go to SonarCube> Account > My Organizations > your org. Name > Administration > Permissions Template.
Please make sure that both Members and Owners have the following permissions set: Browse, See Source Code, Administer and execute analysis
To connect SonarQube and Vulcan Cyber, make sure that you are running at least version 8.8 (build 42792) as previous versions are not supported.
First, log in to your SonarQube dashboard instance.
If the SonarQube server is installed on a local network and not accessible externally you may need to connect using the Vulcan Gateway.
Click on your user profile icon and the My Account link.
Click on the Security tab.
Enter a name to generate a token, here "Vulcan Cyber" is used, and click the Generate button.
Copy the resulting token that is generated as the value is hidden upon leaving the screen.
Log in to your Vulcan Cyber dashboard and click on Connectors.
Click on the Add a Connector button.
Click on the SonarQube icon.
Enter the following information into the connector setup page.
Server URL - Your specific instance of SonarQube.
Api Key - The previously generated API key.
Sync security hotspots - Checked, in this example. A security hotspot is a SonarQube detected security-sensitive areas of code that may need potential review. You may find that importing these specific callouts is redundant, or not used.
When this option is un-checked Vulcan will not retrieve security hotspots from SonarQube.
Map SonarQube severity to Vulcan numerical score - By default, Vulcan maps the SonarQube severity value with a set of default values. To further customize the specific mapping values, you may do so in the connector configuration, as shown below.
Once all information has been entered, click the Test Connectivity button to verify that Vulcan Cyber can connect to your SonarQube instance, as shown below, and finally click the Create button.
Navigate to the Connectors page and once the SonarQube icon shows as Connected, the connection is complete.
Although it is not configurable in the connector interface, Vulcan Cyber maps vulnerability statuses to SonarQube as well. Outlined below is the general vulnerability status mapping followed by specific SonarQube security hotspot status mapping.
Vulnerability Status Mapping
Vulcan Status | SonarQube Vulnerabilities | SonarQube Hotspots | Notes |
Vulnerable | Open, Confirmed | To Review
|
|
Fixed | Resolved as Fixed | Fixed
| Also displayed when the vulnerability is no longer present. |
Ignored - False Positive
| Resolved as False Positive
| Safe |
|
Ignored - Risk Acknowledged
| Resolved as Won't Fix
| N/A |
|
Locating SonarQube Vulnerabilities in Vulcan Cyber
As SonarQube discovers vulnerabilities, the Vulcan Cyber connector will import those vulnerabilities for reporting and action. With a large number of assets and potential vulnerabilities discovering specific vulnerabilities via source is made easy with filters.
Open the Vulcan Cyber dashboard and navigate to the Vulnerabilities section. Click on the Search or filter vulnerabilities search box, scroll to the Vulnerability Source option, and click to filter by the vulnerability source.
Locate SonarQube on the vulnerability source list and click to filter results by SonarQube.
Click on any vulnerability to view further information and potentially take action by clicking the Take Action drop-down and choosing an option, as shown below.
Finding SonarQube Code Project Assets in Vulcan Cyber
To quickly locate all synced Code Project assets from SonarQube you may leverage the Assets tab in Vulcan Cyber.
Open the Vulcan Cyber dashboard and navigate to the Assets section. Once there, click on the Code Projects tab.
Click on the Search or filter codeProjects input box and select Connector from the drop-down selection.
Next, scroll down the resulting connector list to locate and click on the SonarQube option to view all synced SonarQube Code Project assets.
Automating SonarQube Vulnerability Actions in Vulcan Cyber
Large environments quickly become unmanageable if constant manual attention and action are necessary to remediate vulnerabilities. Take advantage of the automation capabilities of Vulcan Cyber and the SonarQube connector.
Open the Vulcan Cyber dashboard and navigate to the Automation section. Once there, click the Create new Playbook button.
First, give your automation playbook a name, here the name given is, "Assign Critical SonarQube Vulnerabilities to Email".
Choose SonarQube for the source of vulnerabilities and add the risk is critical vulnerability condition, leaving the rest as defaults.
Click on the Assign via Email as the Remediate Action button.
Choose how the separation of tickets is handled, here up to 200 vulnerabilities are aggregated into a single email. Then add the recipient emails to be notified.
Leave all other steps as default and click on Save and Run.
API In Use
projects:
{BASE_URL}/api/components/search?qualifiers=TRK
projects details:
{BASE_URL}/api/components/show?component={projects_keys_seperated_by_comma}
vulnerabilities(per project):
{BASE_URL}/api/issues/search?types=VULNERABILITY&componentKeys={project_key}
vulnerability rules:
{BASE_URL}/api/rules/show/?types=VULNERABILITY&key={vulnerability_rule_keys_seperated_by_comma}
hotspots (per project):
{BASE_URL}/api/hotspots/search?projectKey={project_key}
hotspot rules:
{BASE_URL}/api/rules/show?types=SECURITY_HOTSPOT&key={hotspot_rules_keys_seperated_by_comma}
hotspot details:
{BASE_URL}/api/hotspots/show?hotspot={hotspot_keys_seperated_by_comma}