Overview


About integrating SonarCloud into the Vulcan Platform

SonarCloud analyzes your code and advises you when corrective action is needed. When integrated with the Vulcan Platform, it lets you review code-level vulnerabilities on your assets, while leveraging the power of Vulcan Cyber discoverability and automation. In this article, you will find how to connect, locate, and automate SonarCloud with Vulcan Cyber.


Configure the SonarCloud connector

  1. First, you need to Grant the Vulcan Platform access to your SonarCloud by issuing a user token.
    Log in to your SonarCloud instance > click the Account icon > My Account.

  2. Click on the Security tab.

  3. Enter an indicative name to generate a token, and then click Generate.

  4. Copy the resulting API key token that is generated as the value is hidden upon leaving the screen.

  5. Log in to your Vulcan Cyber platform and go to Connectors.

  6. Click on Add a Connector.

  7. Click on the SonarCloud icon.

  8. Enter the following information into the connector setup page.

    • Server URL: https://sonarcloud.io

    • API Key: The previously generated API key.

    • Organization: the name of your organization in the SonarCloud instance

      To retrieve the name, go to SonarCloud instance >click the Account icon > My Organizations > Copy paste the relevant organization's name into the field.

    • Sync security hotspots: A security hotspot is a SonarCloud detected security-sensitive areas of code that may need potential review.

      Note: When this option is unchecked, the Vulcan Platform doesn't retrieve security hotspots from SonarCloud.

    • Map SonarCloud severity to Vulcan numerical score: By default, the Vulcan Platform maps the SonarCloud severity value with a set of default values. To customize the specific mapping values, click show more and modify.

  9. Click the Test Connectivity button to verify that Vulcan Cyber can connect to your SonarCloud instance, then click Create (or Save Changes).

  10. Navigate to the Connectors tab to check the sync status. Once the SonarCloud icon shows Connected, the connection is complete.


From SonarCloud to the Vulcan Platform - Fields Mapping

Connector Fields Mapping

Sonarcloud field

Vulcan field

Value Example

Project name

Asset Name

SAST

Asset type

File name

Asset codebase - source

File name+ line of code

Asset codebase - location

Project information

Asset detail

Tags

Asset Tags

Issue name

Vulnerability title

Severity

Vulnerability score

Blocker, Critical, Major, Minor, Info

Note: The SonarCloud severity is mapped into a numeric score in the Vulcan Platform

What is this issue

Vulnerability description

Security categories

Vulnerability details

CWE, OWASP, SANS

Issue type

Vulnerability details

Vulnerability, security hotspots


Vulnerability Status Mapping

Although it is not configurable in the connector interface, the Vulcan Platform maps vulnerability statuses to SonarCloud as well. Outlined below is the general vulnerability status mapping followed by specific SonarCloud security hotspot status mapping.

SonarCloud status

Vulcan status

Notes

Open, Confirmed

Vulnerable

resolves as fixed

Fixed

Status is "Fixed" also when the vulnerability isn't present anymore

resolves as false positive

Ignored - false positive

resolves as won't fix

Ignored risk acknowledged

Vulnerability Score Mapping

SonarCloud Score

Vulcan Score

Blocker

10

Critical

7

Major

5

Minor

3

Info

0


Locating SonarCloud vulnerabilities in the Vulcan Platform

As SonarCloud discovers vulnerabilities, the Vulcan Platform connector imports those vulnerabilities for reporting and action. With a large number of assets and potential vulnerabilities discovering specific vulnerabilities via source is made easy with filters.

  1. Open the Vulcan Platform dashboard and navigate to the Vulnerabilities. Click on the Search or filter vulnerabilities search box, scroll to the Vulnerability Source option, and click to filter by the vulnerability source.

  2. Locate SonarCloud on the vulnerability source list and click to filter results by SonarCloud.

  3. Click on any vulnerability to view further information and potentially take action by clicking the Take Action drop-down and choosing an option, as shown below.


Finding SonarCloud code project assets in the Vulcan Platform

To quickly locate all synced Code Project assets from SonarCloud, you may leverage the Assets tab in Vulcan Cyber.

  1. Open the Vulcan Cyber dashboard and navigate to Assets > Code Projects tab.

  2. Click on the Search or filter codeProjects input box and select Connector from the drop-down selection.

  3. Scroll down the resulting connector list to locate the SonarCloud option to view all synced SonarCloud Code Project assets.


Automating SonarCloud vulnerability actions in the Vulcan Platform

Large environments quickly become unmanageable if constant manual attention and action are necessary to remediate vulnerabilities. Take advantage of the automation capabilities of Vulcan Cyber and the SonarCloud connector.

  1. Open the Vulcan Cyber dashboard and navigate to the Automation section. Once there, click the Create new Playbook button.

  2. First, give your automation playbook an indicative name:

  3. Select SonarCloud for the source of vulnerabilities and set the vulnerability condition as Risk is Critical, leaving the rest as defaults.

  4. Click on the Assign via Email as the Remediate Action button.

  5. Choose how the separation of tickets is handled, here up to 200 vulnerabilities are aggregated into a single email. Then add the recipient emails to be notified.

  6. Leave all other steps as default and click on Save and Run.

Did this answer your question?