Can SonarQube be used as a Static Application Security Testing (SAST) tool?

Asked 24/11, 2017 at 10:18 Answered 30/1, 2023 at 10:7

sonarqube code-analysis static-analysis sonarqube-scan security-testing

I'm looking for a Static Application Security Testing (SAST) tool and I can't afford the commercial products (eg. Checkmarx).

SonarQube is a great static code analysis tool but I notice that there is only a few rules of the "Vulnerabilities" type ("Vulnerabilities" equals "Security", am I right?).

I plan to extend some custom plugins including a lot of vulnerabilities rules (maybe hundreds of rules for C/C++, Java, and other languages that SonarQube supports).

Is that a practicable way to make SonarQube a "Checkmarx like" tool? Or is SonarQube suitable for static security testing? (I'm not sure if Sonar Scanner is suitable for scanning security problems)

Thanks a lot!

Perigon answered 24/11, 2017 at 10:18 Comment(6)

Today SonarQube as is cannot replace the Checkmarx tool. Maybe end 2018/2019 the story would be different. – Trixie 24/11, 2017 at 18:2

Sonarqube now has security rules for OWASP top 10 2017 in addition to other security vulnerability rules. https://docs.sonarqube.org/latest/user-guide/security-rules/ – Stavros 12/11, 2019 at 17:28

And this link says Sonarqube now performs SAST: https://www.sonarqube.org/features/security/ – Stavros 12/11, 2019 at 17:39

So @JeroenHeier, what is your opinion now, in 2020? – Bahia 1/5, 2020 at 16:32

@Attila Csipak You can have a look here: itcentralstation.com/products/comparisons/… – Trixie 20/6, 2020 at 11:40

This report tries to aggregate user reviews, which are wildly subjective. Maybe there are more objective means to compare SAST tools. For example I read a Gartner research paper comparing SAST (and other security) tools recently. Regrettably SonarQube wasn't included for various reasons (being OSS-based, not primarily security-focused etc.). Thanks anyways for pointing me towards IT Central Station. – Bahia 24/6, 2020 at 8:7

There is a separate SAST tool released by OWASP team named "OWASP SonarQube". This is developed using the sonarqube tool, but as a SAST tool.

This tool can be integrated with your project build same as the SonarQube integration. So if you are familiar with SonarQube, it will be a straightforward move.

Oscine answered 8/10, 2019 at 9:51 Comment(2)

The associated github repo has been archived and is read-only. It looks to me like the OWASP SonarQube project has been retired. community.sonarsource.com/t/owasp-sonarqube-project/36920/2 – Meek 1/2, 2021 at 21:18

@PaulG - however, the sonarqube product still supports security tests as a SAST tool as per the website sonarqube.org/features/security – Oscine 2/2, 2021 at 10:32

As there is no recent answer and the others are very old; here is an update from 2023: Depending on your language requirements, then yes; SonarQube can be used for SAST including the free community edition.

For details have a look at https://www.sonarsource.com/solutions/security/

Asur answered 30/1, 2023 at 10:7 Comment(0)

I don't know *heckmarx but if you only filter for vulnerabilities you may only see 33 rules. If you however filter for different standards like SANS, SWE, CERT and the like there are many more: https://www.sonarsource.com/products/codeanalyzers/sonarjava/rules.html#CERT

Also you can add findbugs with the secbugs plugin which has over 125 securitys bug pattern... You may have to deactivate the redundant, though (and it is only for java...)

Vase answered 27/11, 2017 at 8:27 Comment(0)

-3

I would like to to draw your attention to the PVS-Studio tool. It is orientated not only on the code quality control (search code smells), but also on the search of real errors and potential vulnerabilities. Here is the list, showing a сonsistency between PVS-Studio and CWE diagnostics. Soon it will be available to work in CWE code mode in the PVS-Studio interface. It is planned for the next PVS-Studio 6.20 release.

PVS-Studio is a tool for bug detection in the source code of programs, written in C, C++, and C#. It works in Windows and Linux environment. Another pleasant addition is the ability to integrate PVS-Studio with SonarQube.

Bathe answered 24/11, 2017 at 14:24 Comment(0)

Recommended topics

Hot tags