Login/Register
SonarQube does not display Bandit's Python security vulnerability report
Asked Answered
Solved pythonsonarqubebandit-python
D

2

6

Overview

I'm using SonarQube 7.4.0.18908 to gather code coverage and perform static code analysis for a Python 3.6 project. The server is running in AWS. Things are working as expected (see screenshot below).

Now I'd like to add security scanning for the project. I "chose" Bandit, but really that seems to be the only tool which currently integrates with SonarQube for Python, as described in Import Bandit Issues Reports. The SonarPython plugin supports Bandit analysis, which is installed on the SonarQube server. To generate vulnerability report locally, I'm using Bandit 1.5.1 pip3 module.

Issue

The vulnerability report is not displayed - possibly not even uploaded - to SonarQube (see same screenshot below).

Steps to Reproduce

I added this line to the project's sonar-project.properties file:

sonar.python.bandit.reportPaths=bandit-report.json

I then ran the report:

pip3 install bandit==1.5.1
bandit --format json --output bandit-report.json --recursive src

I verified that bandit-report.json contains correct data:

{
  "errors": [],
  "generated_at": "2019-01-30T14:49:18Z",
  "metrics": {
...
"results": [
    {
      "code": "8 def prepare_df_for_comparison(df, name, ignore_columns=None, sort_columns=None):\n9     assert df is not None\n10 \n11     # upper-case all columns\n12     df.columns = [x.upper() for x in df.columns]\n",
      "filename": "./build/lib/tasks/compare_df.py",
      "issue_confidence": "HIGH",
      "issue_severity": "LOW",
      "issue_text": "Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.",
...

I then published to SonarQube:

sonar-scanner

The output of the scanner:

INFO: Scanner configuration file: NONE
INFO: Project root configuration file: /root_dir/sonar-project.properties
INFO: SonarQube Scanner 3.2.0.1227
INFO: Java 1.8.0_191 Oracle Corporation (64-bit)
INFO: Linux 4.9.125-linuxkit amd64
INFO: User cache: /root/.sonar/cache
INFO: SonarQube server 7.4.0
INFO: Default locale: "en_US", source code encoding: "UTF-8" (analysis is platform dependent)
INFO: Publish mode
INFO: Load global settings
INFO: Load global settings (done) | time=126ms
INFO: Server id: <snip>
INFO: User cache: /root/.sonar/cache
INFO: Load/download plugins
INFO: Load plugins index
INFO: Load plugins index (done) | time=102ms
INFO: Load/download plugins (done) | time=130ms
INFO: Loaded core extensions:
INFO: Process project properties
INFO: Load project repositories
INFO: Load project repositories (done) | time=84ms
INFO: Load quality profiles
INFO: Load quality profiles (done) | time=33ms
INFO: Load active rules
INFO: Load active rules (done) | time=554ms
INFO: Load metrics repository
INFO: Load metrics repository (done) | time=27ms
INFO: Project key: security-scan
INFO: Project base dir: /root_dir/src
INFO: -------------  Scan Security Scan
INFO: Base dir: /root_dir/src
INFO: Working dir: /root_dir/src/.scannerwork
INFO: Source paths: config, dag_factories, operators, tasks
INFO: Test paths: tests
INFO: Source encoding: UTF-8, default locale: en_US
INFO: Load server rules
INFO: Load server rules (done) | time=187ms
INFO: Language is forced to py
INFO: Index files
INFO: Excluded sources:
INFO:   **/*.pyc
INFO:   **/*.ini
INFO: Excluded tests:
INFO:   **/*.pyc
INFO: 95 files indexed
INFO: 82 files ignored because of inclusion/exclusion patterns
INFO: Quality profile for py: Sonar way
INFO: Sensor Python Squid Sensor [python]
WARN: Metric 'comment_lines_data' is deprecated. Provided value is ignored.
INFO: Sensor Python Squid Sensor [python] (done) | time=2831ms
INFO: Sensor PythonXUnitSensor [python]
INFO: Sensor PythonXUnitSensor [python] (done) | time=318ms
INFO: Sensor JaCoCo XML Report Importer [jacoco]
INFO: Sensor JaCoCo XML Report Importer [jacoco] (done) | time=6ms
INFO: Sensor SonarJavaXmlFileSensor [java]
INFO: Sensor SonarJavaXmlFileSensor [java] (done) | time=1ms
INFO: Sensor Zero Coverage Sensor
INFO: Sensor Zero Coverage Sensor (done) | time=54ms
INFO: SCM Publisher is disabled
INFO: 3 files had no CPD blocks
INFO: Calculating CPD for 61 files
INFO: CPD calculation finished
INFO: Analysis report generated in 2349ms, dir size=617 KB
INFO: Analysis reports compressed in 15384ms, zip size=233 KB
INFO: Analysis report uploaded in 108ms
INFO: ANALYSIS SUCCESSFUL, you can browse https://sonarqube.mydomain/dashboard?id=security-scan
INFO: Note that you will be able to access the updated dashboard once the server has processed the submitted analysis report
INFO: More about the report processing at https://sonarqube.mydomain/api/ce/task?id=<snip>
INFO: Task total time: 26.187 s
INFO: ------------------------------------------------------------------------
INFO: EXECUTION SUCCESS
INFO: ------------------------------------------------------------------------
INFO: Total time: 27.558s
INFO: Final Memory: 16M/295M
INFO: ------------------------------------------------------------------------

Here is the full sonar-project.properties file:

sonar.host.url=https://sonarqube.mydomain
sonar.scm.disabled=true

sonar.projectKey=security-scan
sonar.projectName=Security Scan
sonar.projectVersion=1.0

sonar.language=py

sonar.sources=src
sonar.tests=tests
sonar.python.coverage.reportPath=coverage.xml

sonar.python.bandit.reportPaths=bandit-report.json

sonar.exclusions=**/*.pyc,**/*.ini
sonar.test.exclusions=**/*.pyc

But nowhere in the SonarQube UI do I see this report. What am I missing?

Related Issues

Python code for security analysis using Bandit.

This is the only related issue I could find on SO. My issue is different. As I mentioned, Bandit report is generated correctly locally. But the issue seems to be with the upload to SonarQube.

Empty vulnerability report screenshot

Di answered 30/1, 2019 at 21:25 Comment(2)
Which version of SonarPython do you have? (Because Bandit is supported since SonarPython 1.11)Botello
Note: SonarPython 1.11 is embedded by default in SonarQube 7.6Botello
M
4

We added very recently the support of Bandit in SonarPython.

Are you using SonarPython 1.11 in your SonarQube 7.4 instance? You can check that in $SQ_HOME/extensions/plugins. If this is not the case, simply replace the sonar-python-plugin-xxx.jar by the 1.11 and that should fix your problem.

https://docs.sonarqube.org/display/PLUG/SonarPython

Thanks

Mammary answered 31/1, 2019 at 10:53 Comment(2)
Nice, I grabbed sonar-python plugin version 1.11.0.2473 on the release page docs.sonarqube.org/display/PLUG/SonarPython After I put sonar-python-plugin-1.10.0.2131.jar in /usr/local/sonar/extensions/plugins/ and restart the SonarQube service, I'm seeing the report in the UI. Scanner is showing the upload in the logs too, which is helpful +1: INFO: Sensor Import of Bandit issues [python] (done) | time=738msDi
Is it possible to triage the bandit report from the sonar cube ? Last time I checked it just displays the report but can't do any triage. I might be wrong. @Alexandre - SonarSource, can you please confirm ?Kienan
S
1

U have to add a .bandit file in your project root and define rules there.

then u also need to install pip install bandit into your env. Hope it works for you. this way works for me and it generates a report as defined by rules.

Smell answered 29/7, 2019 at 6:39 Comment(1)
Thanks Tony. Per my comment, my issue was resolved by upgrading to SonarPython 1.11.0.2473.Di

© 2022 - 2024 — McMap. All rights reserved.