About SonarQube Remote Provider’s integration with ThreadFix and how to configure it.
Prerequisites
Audience: IT Professional or End User Difficulty: Basic Time needed: Approximately 5 minutes Tools required: N/A
For general information & instructions on the use of Remote Providers within ThreadFix, please refer to the Remote Providers parent page. For information on REST API functionality for Remote Providers, please refer to the following: Remote Providers API.
Introduction
SonarQube is an automatic code review tool to detect bugs, vulnerabilities, and code smells in user’s code. It can integrate with an existing workflow to enable continuous code inspection across project branches and pull requests.
ThreadFix uses this endpoint to check system version before assigning issue types upon import.
api/server/version
SonarQube Version Compatibility
When importing SonarQube scans from version 6 and 8 instances, please note the Security Hotspot type is unavailable in version 6 and has been removed from version 8. As such, only the Vulnerability type is available.
Configuring the Remote Provider Integration
The following are the fields needed to create the Remote Provider integration with SonarQube instance:
Organization
SonarCloud Instance
In SonarCloud, the Organization may appear as the "Key" value (e.g., in the top right), though the URL shows it as the Organization ...e.g., https://sonarcloud.io/organizations/ <Organization>/projects
On-Prem Instance
In an on-prem instance of SonarQube, users may need to obtain the Organization value via API, as the Organization value may not appear in the UI. Use the following Postman collection:
In the collection are two calls: SQ_Login and SQ_ProjectSearch. Please follow these steps in order to run the collection.
In both SQ_Login and SQ_ProjectSearch, update the url to point to the user’s SonarQube instance.
Update both the login and password parameters for SQ_Login.
Run SQ_Login.
Run SQ_ProjectSearch.
The SQ_ProjectSearch will mimic a similar call ThreadFix uses to fetch the projects from SonarQube. In the response the response is similar to: