SonarQube
SonarQube scans your code projects for potential vulnerabilities, code smells, bugs, and other issues, and provides recommendations for fixing those issues. You can bring code project and static code findings from SonarQube into Brinqa to better understand the security risks associated with your codebase and prioritize remediation efforts to strengthen your cybersecurity posture.
This document details the information you must provide for the connector to authenticate with SonarQube and how to obtain that information from SonarQube. See create a data integration for step-by-step instructions on setting up the integration.
The SonarQube connector supports the Community, Developer, Enterprise, and Data Center editions of SonarQube. For additional information, see SonarQube plans and pricing.
Required connection settings
When setting up a data integration, select SonarQube from the Connector drop-down. If you cannot find the connector in the drop-down, make sure that you have installed it first. You must provide the following information to authenticate SonarQube with Brinqa:
-
Server URL: The SonarQube Server URL.
-
User token: The access token associated with the SonarQube user, which must have permissions to log in to the API server and return data.
Generate a SonarQube user token
For the SonarQube connector to use the SonarQube API, you must provide a user token. The user token inherits the permissions of the user who creates the token and can be used to perform any SonarQube Web API action.
To create a user token, follow these steps:
-
Log in to your organization's SonarQube server.
-
Click the account profile icon on the upper-right corner of the page and then click My Account.
-
Click the Security tab.
-
Enter a name for the token and click Generate.
Your new user token displays. You cannot view the token again after this. Copy and save it to a secure location.
If you do not have permissions to create a user token, contact your SonarQube administrator. For additional information on managing user tokens and permissions, see SonarQube documentation.
Additional settings
The SonarQube connector contains additional options for specific configuration:
-
Page size: The maximum number of records to get per API request. The default setting is 500. It is not recommended to go over 500.
-
Parallel requests: The maximum number of parallel API requests. The default setting is 4.
-
Skip certificate verification: Select this option to allow for untrusted certificates.
Types of data to retrieve
The SonarQube connector can retrieve the following types of data from the SonarQube API:
Table 1: Data retrieved from SonarQube
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Code Project | Yes | Code Project |
| Static Code Finding | Yes | Static Code Finding |
| Static Code Finding Definition | Yes | Static Code Finding Definition |
For detailed steps on how to view the data retrieved from SonarQube in the Brinqa Platform, see How to view your data.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes.
Code Project
Table 2: Code Project attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| analysis.projectVersion | Local variable (projectVersion) |
| component.description | description |
| component.measure("alert_status") | Local variable (qualityGate) |
| component.measure("cognitive_complexity") | Local variable (cognitiveComplexity) |
| component.measure("complexity") | Local variable (cyclomaticComplexity) |
| component.measure("coverage") | Local variable (coverage) |
| component.measure("duplicated_lines_density") | Local variable (duplication) |
| component.measure("ncloc") | Local variable (linesOfCode) |
| component.measure("reliability_rating") | Local variable (reliabilityRating) |
| component.measure("security_rating") | Local variable (securityRating) |
| component.measure("sqale_rating") | Local variable (maintainabilityRating) |
| project.key | uid |
| project.lastAnalysisDate | lastAssessed |
| project.name | name |
| project.organization | Local variable (org) |
| project.qualifier | Local variable (qualifier) |
| project.revision | Local variable (revision) |
| project.visibility | Local variable (visibility) |
Static Code Finding
Table 3: Static Code Finding attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| issue.author | Local variable (author) |
| issue.component, issue.line | path |
| issue.creationDate | firstFound |
| issue.debt | Local variable (debt) |
| issue.effort | Local variable (effort) |
| issue.hash | Local variable (hash) |
| issue.key | uid, Local variable (key) |
| issue.message | results |
| issue.project | targets |
| issue.rule | type |
| issue.status | status (normalize), statusCategory |
| issue.tags | tags |
| issue.updateDate | lastFound |
| sources | codeSnippet |
Static Code Finding Definition
Table 4: Static Code Finding Definition attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| rule.createdAt | publishedDate |
| rule.htmlDesc , rule.descriptionSections | description |
| rule.isTemplate | Local variable (template) |
| rule.key | uid |
| rule.lang | languages |
| rule.name | name |
| rule.params | Local variable (params) |
| rule.repo | repository |
| rule.severity | severity (normalize), sourceSeverity, severityScore |
| rule.tags | tags |
| rule.type | categories |
| rule.updatedAt | sourceLastModified |
| rules.isExternal | Local variable (external) |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
Operation options
The SonarQube connector supports the following operation options. See connector operation options for information about how to apply them.
Expand the sections below to view the supported operation options for each connector object:
Code Project
Table 5: Code Project operation options
| Connector Object | Option | All Possible values | Description | Example |
|---|---|---|---|---|
| Code Project | resolutions | FALSE-POSITIVE, FIXED, REMOVED, WONTFIX | A comma-separated list of resolutions. Retrieve code projects with the specified resolution. | Key: resolutions Value: FIXED. This key and value combination only retrieves fixed code projects. |
| resolved | false, no, true, yes | Retrieve code projects with the specified status. | Key: resolved Value: true. This key and value combination only retrieves resolved code projects. | |
| severities | BLOCKER, CRITICAL, INFO, MAJOR, MINOR | A comma-separated list of severity levels. Retrieve code projects with the specified severity level. | Key: severities Value: CRITICAL. This key and value combination only retrieves critical code projects. | |
| sonarsourceSecurity | auth, buffer-overflow, command-injection, csrf, dos, file-manipulation, http-response-splitting, insecure-conf, ldap-injection, log-injection, object-injection, open-redirect, others, path-traversal-injection, rce, sql-injection, ssrf, weak-cryptography, xpath-injection, xss, xxe | A comma-separated list of SonarSource security categories. Retrieve code projects with the specified category. | Key: sonarsourceSecurity Value: file-manipulation. This key and value combination only retrieves code projects that fall under the file-manipulation SonarSource security category. | |
| statuses | CLOSED, CONFIRMED, IN_REVIEW, OPEN, REOPENED, RESOLVED, REVIEWED, TO_REVIEW | A comma-separated list of issue statuses. Retrieve code projects by the specified statuses. | Key: statuses Value: OPEN,REOPENED. This key and value combination only retrieves open and reopened code projects. | |
| tags | Any code project tags. | A comma-separated list of tags. Retrieve code projects with the specified tags. | Key: tags Value: convention. This key and value combination only retrieves code projects with the convention tag. | |
| types | BUG, CODE_SMELL, VULNERABILITY | A comma-separated list of issue types. Retrieve code projects by the specified type. | Key: types Value: CODE_SMELL,BUG. This key and value combination only retrieves code projects of the code smell and bug types. |
Static Code Finding
Table 6: Static Code Finding operation options
| Connector Object | Option | All Possible values | Description | Example |
|---|---|---|---|---|
| Static Code Finding | resolutions | FALSE-POSITIVE, FIXED, REMOVED, WONTFIX | A comma-separated list of resolutions. Retrieve static code findings with the specified resolution. | Key: resolutions Value: FIXED. This key and value combination only retrieves fixed issues. |
| resolved | false, no, true, yes | Retrieve static code findings with the specified status. | Key: resolved Value: true. This key and value combination only retrieves resolved issues. | |
| severities | BLOCKER, CRITICAL, INFO, MAJOR, MINOR | A comma-separated list of severity levels. Retrieve static code findings with the specified severity level. | Key: severities Value: CRITICAL. This key and value combination only retrieves critical issues. | |
| sonarsourceSecurity | auth, buffer-overflow, command-injection, csrf, dos, file-manipulation, http-response-splitting, insecure-conf, ldap-injection, log-injection, object-injection, open-redirect, others, path-traversal-injection, rce, sql-injection, ssrf, weak-cryptography, xpath-injection, xss, xxe | A comma-separated list of SonarSource security categories. Retrieve static code findings with the specified category. | Key: sonarsourceSecurity Value: file-manipulation. This key and value combination only retrieves issues that fall under the file-manipulation SonarSource security category. | |
| statuses | CLOSED, CONFIRMED, IN_REVIEW, OPEN, REOPENED, RESOLVED, REVIEWED, TO_REVIEW | A comma-separated list of issue statuses. Retrieve static code findings by the specified statuses. | Key: statuses Value: OPEN,REOPENED. This key and value combination only retrieves open and reopened issues. | |
| tags | Any static code finding tags. | A comma-separated list of tags. Retrieve static code findings with the specified tags. | Key: tags Value: convention. This key and value combination only retrieves issues with the convention tag. | |
| types | BUG, CODE_SMELL, VULNERABILITY | A comma-separated list of issue types. Retrieve static code findings by the specified type. | Key: types Value: CODE_SMELL,BUG. This key and value combination only retrieves code smell and bug type issues. |
Static Code Finding Definition
Table 7: Static Code Finding operation options
| Connector Object | Option | All Possible values | Description | Example |
|---|---|---|---|---|
| Static Code Finding Definition | resolutions | FALSE-POSITIVE, FIXED, REMOVED, WONTFIX | A comma-separated list of resolutions. Retrieve static code finding definitions with the specified resolution. | Key: resolutions Value: FIXED. This key and value combination only retrieves fixed issues. |
| resolved | false, no, true, yes | Retrieve static code finding definitions with the specified status. | Key: resolved Value: true. This key and value combination only retrieves resolved issues. | |
| severities | BLOCKER, CRITICAL, INFO, MAJOR, MINOR | A comma-separated list of severity levels. Retrieve static code finding definitions with the specified severity level. | Key: severities Value: CRITICAL. This key and value combination only retrieves critical issues. | |
| sonarsourceSecurity | auth, buffer-overflow, command-injection, csrf, dos, file-manipulation, http-response-splitting, insecure-conf, ldap-injection, log-injection, object-injection, open-redirect, others, path-traversal-injection, rce, sql-injection, ssrf, weak-cryptography, xpath-injection, xss, xxe | A comma-separated list of SonarSource security categories. Retrieve static code finding definitions with the specified category. | Key: sonarsourceSecurity Value: file-manipulation. This key and value combination only retrieves issues that fall under the file-manipulation SonarSource security category. | |
| statuses | CLOSED, CONFIRMED, IN_REVIEW, OPEN, REOPENED, RESOLVED, REVIEWED, TO_REVIEW | A comma-separated list of issue statuses. Retrieve static code finding definitions by the specified statuses. | Key: statuses Value: OPEN,REOPENED. This key and value combination only retrieves open and reopened issues. | |
| tags | Any static code finding definition tags. | A comma-separated list of tags. Retrieve static code finding definitions with the specified tags. | Key: tags Value: convention. This key and value combination only retrieves issues with the convention tag. | |
| types | BUG, CODE_SMELL, VULNERABILITY | A comma-separated list of issue types. Retrieve static code finding definitions by the specified type. | Key: types Value: CODE_SMELL,BUG. This key and value combination only retrieves code smell and bug type issues. |
The option keys and values are case-sensitive as they are shown in this documentation.
APIs
The SonarQube connector uses the SonarQube Web API. Specifically, it uses the following endpoints:
Table 8: SonarQube Web API Endpoints
| Connector Object | API Endpoint |
|---|---|
| Code Project | GET /api/measures/component |
GET /api/project_analyses/search | |
GET /api/projects/search | |
| Static Code Finding | GET /api/issues/search |
| Static Code Finding Definition | GET /api/rules/search |
Changelog
The SonarQube connector has undergone the following changes:
Table 9: SonarQube connector changelog
| Version | Description |
|---|---|
| 3.0.3 | Fixed an issue where syncs were failing with a "NoSuchElementException" error. |
| 3.0.2 | Improved its handling of the vendor API's limitation, which restricts the maximum return of 10,000 records. |
| 3.0.1 | Replaced ImmutableSet with HashSet. |
| 3.0.0 | Initial Integration+ release. |