Security Analysis with SonarQube Plugin4 Aug 2017 by Martin Bednorz
SonarQube is one of the leading products for continuous code quality inspection and is used by more than 80,000 organizations world-wide to automatically detect a large variety of code quality issues. But in today’s world the detection of security issues is even more important. RIPS Technologies enables to integrate its awarded security analysis solution directly into SonarQube through a plugin. It allows to continuously scan existing SonarQube projects for security threats and for quality issues so that the deployment of unstable applications can be prevented.
Global organizations use SonarQube to concentrate different quality analysis tools in one place for easy management, maintenance, and learning potential of findings. Seasoned developers are able to focus on their work without using multiple tools, whereas new developers can be quickly onboarded. This is enabled by the vast language support provided in the default plugin repository. Additionally, SonarQube can be connected to the most commonly used continuous integration tools, including Bamboo, Travis CI, Jenkins, and TeamCity. Find out more about the values of continuous integration in our Jenkins blog post.
The default analysis tool to scan PHP applications within SonarQube is SonarPHP. It includes a total of 128 rules categorized in Bugs (18), Code Smells (100), and Vulnerabilities (10). Most of the security-related rules are simple configuration checks (e.g. “file_uploads should be disabled”, “allow_url_fopen should be disabled”) or trivial function-call signatures (such as sleep() and eval()).
While heuristical reports of potentially dangerous PHP features can help in a general code quality review, the detection of real security vulnerabilities requires a much more complex data flow analysis. With the help of our RIPS SonarQube plugin, an in-depth security analysis can be easily added to reveal critical security vulnerabilities within minutes.
RIPS SonarQube Plugin
Our plugin includes over 100 security-related analysis rules extracted from our current analysis engine, providing the most complete and accurate static analysis solution available for PHP. By using this plugin you can automatically trigger new security analyses of your applications with your self-hosted RIPS instance or via your RIPS SaaS account. All findings can then be examined directly in SonarQube. Further, you can configure a project-based security risk that results in a quality gate fail whenever a custom threshold of vulnerabilities is detected.
The analysis overview shown in Figure 4 provides a summary of the latest analysis with a direct comparison to the previous scan. In this example, it is clearly indicated that the new version has a security-related regression and that further actions are required by the developer or project manager. In addition to the comparison generated by SonarQube, a more detailed comparison can be reviewed in the user interface of RIPS.
As a next step, a list of all detected security vulnerabilities categorized by issue type can be reviewed in SonarQube (see Figure 6). The issues can be assigned to different users that can prioritize and manage the resolution with additional comments or review states.
Finally, each security issue can be verified from the highlighted code lines and then resolved by following the instructions in the issue description. The detected issues are also referred to the interactive RIPS dashboard that provides many additional features for an efficient review of complex issues.
SonarQube is an extremely useful tool to govern and drive the quality of your source code. Due to the substantial distribution of SonarQube and the extensive amount of plugins and further integrations it is straightforward to implement into your SDLC for the majority of platforms. Combining SonarQube with the efficient security analysis of RIPS enables the measurement of the overall quality and security of your applications in a single place.