SonarQube
SonarQube scans code projects for potential vulnerabilities, code smells, bugs, and other issues, and provides recommendations for fixing those issues. You can bring code project and static code findings from SonarQube into Brinqa to better understand the security risks associated with your codebase and prioritize remediation efforts to strengthen your cybersecurity posture.
This document details the information you must provide for the connector to authenticate with SonarQube and how to obtain that information from SonarQube. See create a data integration for step-by-step instructions on setting up the integration.
The SonarQube connector supports the Community, Developer, Enterprise, and Data Center editions of SonarQube.
Required connection settings
When setting up a data integration, select SonarQube from the Connector drop-down. If you cannot find the connector in the drop-down, make sure that you have installed it first. You must provide the following information to authenticate SonarQube with Brinqa:
-
Server URL: The SonarQube Server URL.
-
User token: The access token associated with the SonarQube user, which must have permissions to log in to the API server and return data.
Generate a SonarQube user token
For the SonarQube connector to use the SonarQube API, you must provide the user token from SonarQube. The user token inherits the permissions of the user who creates the token and can be used to perform any SonarQube Web API action.
To create a user token, follow these steps:
-
Log in to your organization's SonarQube server.
-
Click the account profile icon on the upper-right corner of the page and then click My Account.
-
Click the Security tab.
-
Enter a name for the token and click Generate.
Your new user token displays. You cannot view the token again. Copy the token and save it in a secure location.
For additional information on managing user tokens and permissions for your SonarQube account, see SonarQube documentation.
Additional settings
The SonarQube connector contains additional options for specific configuration:
-
Page size: The maximum number of records to get per API request. The default setting is 500. It is not recommended to go over 500.
-
Parallel requests: The maximum number of parallel API requests. The default setting is 4.
-
Skip certificate verification: Select this option to allow for untrusted certificates.
Types of data to retrieve
The SonarQube connector can retrieve the following types of data from the SonarQube API:
Table 1: Data retrieved from SonarQube
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Code Project | Yes | Code Project |
| Static Code Finding | Yes | Static Code Finding |
| Static Code Finding Definition | Yes | Static Code Finding Definition |
For detailed steps on how to view the data retrieved from SonarQube in the Brinqa Platform, see How to view your data.
Operation options
The SonarQube connector supports the following operation options. See connector operation options for information about how to apply them.
Table 2: SonarQube connector operation options
| Connector Object | Option | All Possible values | Description | Example |
|---|---|---|---|---|
| Static Code Finding | resolutions | FALSE-POSITIVE, FIXED, REMOVED, WONTFIX | A comma-separated list of resolutions. Retrieve static code findings with the specified resolution. | Key: resolutions Value: FIXED. This key and value combination only retrieves fixed issues. |
| resolved | false, no, true, yes | Retrieve static code findings with the specified status. | Key: resolved Value: true. This key and value combination only retrieves resolved issues. | |
| severities | BLOCKER, CRITICAL, INFO, MAJOR, MINOR | A comma-separated list of severity levels. Retrieve static code findings with the specified severity level. | Key: severities Value: CRITICAL. This key and value combination only retrieves critical issues. | |
| sonarsourceSecurity | auth, buffer-overflow, command-injection, csrf, dos,file-manipulation, http-response-splitting, insecure-conf, ldap-injection, log-injection, object-injection, open-redirect, others, path-traversal-injection, rce, sql-injection, ssrf, weak-cryptography, xpath-injection, xss, xxe | A comma-separated list of SonarSource security categories. Retrieve static code findings with the specified category. | Key: sonarsourceSecurity Value: file-manipulation. This key and value combination only retrieves issues that fall under the file-manipulation SonarSource security category. | |
| statuses | CLOSED, CONFIRMED, IN_REVIEW, OPEN, REOPENED, RESOLVED, REVIEWED, TO_REVIEW | A comma-separated list of issue statuses. Retrieve static code findings by the specified statuses. | Key: statuses Value: OPEN,REOPENED. This key and value combination only retrieves OPEN and REOPENED issues. | |
| tags | Any static code finding tags. | A comma-separated list of tags. Retrieve static code findings with the specified tags. | Key: tags Value: convention. This key and value combination only retrieves issues with the convention tag. | |
| types | BUG,CODE_SMELL,VULNERABILITY | A comma-separated list of issue types. Retrieve static code findings by the specified type. | Key: types Value: CODE_SMELL,BUG. This key and value combination only retrieves CODE_SMELL and BUG issues. |
The option keys and values are case-sensitive as they are shown in this documentation.
APIs
The SonarQube connector uses the SonarQube Web API. Specifically, it uses the following endpoints:
Table 3: SonarQube Web API Endpoints
| Connector Object | API Endpoint |
|---|---|
| Code Project | GET /api/projects/search |
GET /api/measures/component | |
GET /api/project_analyses/search | |
| Static Code Finding | GET /api/issues/search |
GET /api/sources/show | |
| Static Code Finding Definition | GET /api/rules/search |
Changelog
The SonarQube connector has undergone the following changes:
3.0.2
- Improved its handling of the vendor API's limitation, which restricts the maximum return of 10,000 records.
3.0.1
- Replaced
ImmutableSetwithHashSet.
3.0.0
- Initial Integration+ release.