As of December 31st, 2023 ThreadFix 2.X has reached End of Life and is no longer supported. For any further information please contact the Success and Implementation team.
SonarQube Remote Provider
You will learn
About SonarQube Remote Provider’s integration with ThreadFix and how to configure it.
Prerequisites
Audience: IT Professional or End User
Difficulty: Basic
Time needed: Approximately 5 minutes
Tools required: N/A
For general information & instructions on the use of Remote Providers within ThreadFix, please refer to this page's parent page: Remote Providers. For information on REST API functionality for Remote Providers, please refer to the following: Remote Providers API.
We will update this page at a future time with more details on the Remote Provider integration with this specific scanning tool.
If you have any questions, please reach out to support@threadfix.it.
Introduction
SonarQube is an automatic code review tool to detect bugs, vulnerabilities, and code smells in your code. It can integrate with your existing workflow to enable continuous code inspection across your project branches and pull requests.
Fetching applications
Fetch Applications
(Requires ‘System Administrator’ permission)
/api/projects/searchDoc reference: https://sonarcloud.io/web_api/api/projects/search
ThreadFix paginates this request.
Fetching scans
Fetch scans
(Requires the 'Browse' permission on the projects)
/api/issues/searchDoc reference: https://sonarcloud.io/web_api/api/issues/search
ThreadFix paginates this request.
Version Check
Version check
api/server/versionAs of version 2.8.4, ThreadFix uses this endpoint to check system version before assigning issue types upon import.
SonarQube Version Compatibility
ThreadFix only supports importing mappings for finding types of Vulnerability and Hotspot. Users can recategorize all other findings as either supported type and re-import them. These will then be imported and appear as unmapped vulnerabilities with a naming convention similar to below:
Note: As of version 2.8.8, ThreadFix only supports importing Hotspot findings with the SonarQube v8(8.9) and V9 configurations.
Configuring the Remote Provider Integration
The following are the fields needed to create the Remote Provider integration with your SonarQube instance:
Organization
The following content applies only to ThreadFix versions 2.8.7 and older.
SonarCloud Instance
In SonarCloud, the Organization may appear as the "Key" value (e.g., in the top right), though the URL shows it as the Organization ...e.g., https://sonarcloud.io/organizations/ <Organization>/projects
On-Prem Instance
In an on-prem instance of SonarQube, you may need to obtain the Organization value via API, as the Organization value may not appear in the UI.:
Use the following Postman collection:
In the collection, you will find two calls SQ_Login and SQ_ProjectSearch. Please follow these steps in order to run the collection.
In both SQ_Login and SQ_ProjectSearch, update the url to point to your SonarQube instance.
Update both the login and password parameters for SQ_Login.
Run SQ_Login.
Run SQ_ProjectSearch.
The SQ_ProjectSearch will mimic a similar call ThreadFix uses to fetch the projects from SonarQube. In the response you should see a response similar to:
Use the “organization” value in the JSON response for the “Organization” field in the Remote Provider page.
Table of Contents
- 1 You will learn
- 1.1 Prerequisites
- 1.2 Introduction
- 1.2.1 Fetching applications
- 1.2.2 Fetching scans
- 1.2.3 Version Check
- 1.2.4 SonarQube Version Compatibility
- 1.2.5 Configuring the Remote Provider Integration
- 1.2.6 Organization
- 1.2.6.1 SonarCloud Instance
- 1.2.6.2 On-Prem Instance
- 2 Table of Contents
www.threadfix.it | www.coalfire.com
Copyright © 2024 Coalfire. All rights reserved.
This Information Security Policy is CoalFire - Public: Distribution of this material is not limited.