Versions Compared

Old Version 4

changes.mady.by.user Daniel Colon

Saved on

compared with

New Version 5

changes.mady.by.user Daniel Colon

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Update per TFDEV- 441 and 344
Image RemovedImage Added

📙 You will learn

About SonarQube Remote Provider’s integration with ThreadFix and how to configure it.

Prerequisites

Audience: IT Professional or End User
Difficulty: Basic
Time needed: Approximately 5 minutes
Tools required: N/A

For general information & instructions on the use of Remote Providers within ThreadFix, please refer to the Remote Providers parent page. For information on REST API functionality for Remote Providers, please refer to the following: Remote Providers API.

Introduction

SonarQube is an automatic code review tool to detect bugs, vulnerabilities, and code smells in user’s code. It can integrate with an existing workflow to enable continuous code inspection across project branches and pull requests.

Fetching applications

ThreadFix paginates this request. Doc reference: https://sonarcloud.io/web_api/api/projects/search

Code Block
/api/projects/search

Fetching scans

ThreadFix paginates this request. Doc reference: https://sonarcloud.io/web_api/api/issues/search

Code Block
/api/issues/search

Version Check

ThreadFix uses this endpoint to check system version before assigning issue types upon import.

Code Block
api/server/version

SonarQube Version Compatibility

When importing SonarQube scans from version 6 and 8 instances, please note the ThreadFix only supports importing mappings for finding types of Vulnerability and Hotspot. Users can recategorize all other findings as either supported type and re-import them. These will then be imported and appear as unmapped vulnerabilities with a naming convention similar to below:

Image Added

Note: As of version 3.1.1, ThreadFix supports importing Hotspot finding with the Sonarqube v7(7.9), v8(8.9), and V9 configurations. The Security Hotspot type is unavailable in version 6 and has been removed from version 8. As , as such, only the Vulnerability type is available.

Configuring the Remote Provider Integration

The following are the fields needed to create the Remote Provider integration with SonarQube instance:

Image RemovedImage Added

Organization

SonarCloud Instance

  • In SonarCloud, the Organization may appear as the "Key" value (e.g., in the top right), though the URL shows it as the Organization ...e.g., https://sonarcloud.io/organizations/ <Organization>/projects

On-Prem Instance

  • In an on-prem instance of SonarQube, users may need to obtain the Organization value via API, as the Organization value may not appear in the UI. Use the following Postman collection:

View file
nameSonarQube.postman_collection.json

In the collection are two calls: SQ_Login and SQ_ProjectSearch. Please follow these steps in order to run the collection.

  1. In both SQ_Login and SQ_ProjectSearch, update the url to point to the user’s SonarQube instance.

  2. Update both the login and password parameters for SQ_Login.

  3. Run SQ_Login.

  4. Run SQ_ProjectSearch.

The SQ_ProjectSearch will mimic a similar call ThreadFix uses to fetch the projects from SonarQube. In the response the response is similar to:

Code Block
languagebash
{
    "paging": {
        "pageIndex": 1,
        "pageSize": 100,
        "total": 1
    },
    "components": [
        {
            "organization": "default-organization",
            "key": "ThreadFix-2.8.1.2",
            "name": "ThreadFix",
            "qualifier": "TRK",
            "visibility": "public",
            "lastAnalysisDate": "2020-08-05T19:54:48+0000",
            "revision": "d7378896ab3c38954d310e5b473684062358471e"
        }
    ]
}

Use the “organization” value in the JSON response for the “Organization” field in the Remote Provider page.

This page will be updated at a future time with more details on the Remote Provider integration with this specific scanning tool.

Table of Contents

Table of Contents