About integrating SonarCloud into the Vulcan Platform
SonarCloud analyzes your code and advises you when corrective action is needed. When integrated with the Vulcan Platform, it lets you review code-level vulnerabilities on your assets, while leveraging the power of Vulcan Cyber discoverability and automation. In this article, you will find how to connect, locate, and automate SonarCloud with Vulcan Cyber.
Prerequisites and User Permissions
User Permissions
Go to SonarCloud > Account > My Organizations > your org. Name > Administration > Permissions Template.
Please ensure that both Members and Owners have the following permissions:
global:
Execute analysisproject:
BrowseandSee source code
Configuring the SonarCloud connector
First, you need to Grant the Vulcan Platform access to your SonarCloud by issuing a user token.
Log in to your SonarCloud instance > click the Account icon > My Account.
Click on the Security tab.
Enter an indicative name to generate a token, and then click Generate.
Copy the resulting API key token that is generated as the value is hidden upon leaving the screen.
Log in to your Vulcan Cyber platform and go to Connectors.
Click on Add a Connector.
Click on the SonarCloud icon.
Enter the following information into the connector setup page.
Server URL: https://sonarcloud.io
API Key: The previously generated API key.
Organization: the name of your organization in the SonarCloud instance
To retrieve the name, go to SonarCloud instance >click the Account icon > My Organizations > Copy paste the relevant organization's name into the field.
Sync security hotspots: A security hotspot is a SonarCloud detected security-sensitive areas of code that may need potential review.
Note: When this option is unchecked, the Vulcan Platform doesn't retrieve security hotspots from SonarCloud.
Map SonarCloud severity to Vulcan numerical score: By default, the Vulcan Platform maps the SonarCloud severity value with a set of default values. To customize the specific mapping values, click show more and modify.
Click the Test Connectivity button to verify that Vulcan Cyber can connect to your SonarCloud instance, then click Create (or Save Changes).
Navigate to the Connectors tab to check the sync status. Once the SonarCloud icon shows Connected, the connection is complete.
From SonarCloud to the Vulcan Platform - Fields Mapping
Connector Fields Mapping
Sonarcloud field | Vulcan field | Value Example |
Project name | Asset Name |
|
SAST | Asset type |
|
File name | Asset codebase - source |
|
File name+ line of code | Asset codebase - location |
|
Project information | Asset detail |
|
Tags | Asset Tags |
|
Issue name | Vulnerability title |
|
Severity | Vulnerability score | Blocker, Critical, Major, Minor, Info Note: The SonarCloud severity is mapped into a numeric score in the Vulcan Platform |
What is this issue | Vulnerability description |
|
Security categories | Vulnerability details | CWE, OWASP, SANS |
Issue type | Vulnerability details | Vulnerability, security hotspots |
Vulnerability Status Mapping
Although it is not configurable in the connector interface, the Vulcan Platform maps vulnerability statuses to SonarCloud as well. Outlined below is the general vulnerability status mapping followed by specific SonarCloud security hotspot status mapping.
SonarCloud status | Vulcan status | Notes |
Open, Confirmed | Vulnerable |
|
resolves as fixed | Fixed | Status is "Fixed" also when the vulnerability isn't present anymore |
resolves as false positive | Ignored - false positive |
|
resolves as won't fix | Ignored risk acknowledged |
|
Vulnerability Score Mapping
SonarCloud Score | Vulcan Score |
Blocker | 10 |
Critical | 7 |
Major | 5 |
Minor | 3 |
Info | 0 |
Locating SonarCloud vulnerabilities in the Vulcan Platform
As SonarCloud discovers vulnerabilities, the Vulcan Platform connector imports those vulnerabilities for reporting and action. With a large number of assets and potential vulnerabilities discovering specific vulnerabilities via source is made easy with filters.
Open the Vulcan Platform dashboard and navigate to the Vulnerabilities. Click on the Search or filter vulnerabilities search box, scroll to the Vulnerability Source option, and click to filter by the vulnerability source.
Locate SonarCloud on the vulnerability source list and click to filter results by SonarCloud.
Click on any vulnerability to view further information and potentially take action by clicking the Take Action drop-down and choosing an option, as shown below.
Finding SonarCloud code project assets in the Vulcan Platform
To quickly locate all synced Code Project assets from SonarCloud, you may leverage the Assets tab in Vulcan Cyber.
Open the Vulcan Cyber dashboard and navigate to Assets > Code Projects tab.
Click on the Search or filter codeProjects input box and select Connector from the drop-down selection.
Scroll down the resulting connector list to locate the SonarCloud option to view all synced SonarCloud Code Project assets.
Automating SonarCloud vulnerability actions in the Vulcan Platform
Large environments quickly become unmanageable if constant manual attention and action are necessary to remediate vulnerabilities. Take advantage of the automation capabilities of Vulcan Cyber and the SonarCloud connector.
Open the Vulcan Cyber dashboard and navigate to the Automation section. Once there, click the Create new Playbook button.
First, give your automation playbook an indicative name:
Select SonarCloud for the source of vulnerabilities and set the vulnerability condition as Risk is Critical, leaving the rest as defaults.
Click on the Assign via Email as the Remediate Action button.
Choose how the separation of tickets is handled, here up to 200 vulnerabilities are aggregated into a single email. Then add the recipient emails to be notified.
Leave all other steps as default and click on Save and Run.
