As of December 31st, 2023 ThreadFix 2.X has reached End of Life and is no longer supported. For any further information please contact the Success and Implementation team.
Sonar Plugin
You will learn
How to get, install, and configure the Sonar plugin with ThreadFix.
Installation
The ThreadFix SonarQube plugin can be downloaded from the "Download Tools" page inside of ThreadFix. This is located under the cog menu in the top-right corner.
To install the ThreadFix Sonar plugin, put the jar in the plugins folder (located at SONAR_HOME/extensions/plugins) and restart Sonar. You can verify that the plugin was installed correctly by looking for the ThreadFix widget in the dashboard widget configuration.
Configuration - Server
By default, ThreadFix will create a new Quality Profile for each language in the Sonar system. If you have the C#, Java, and Groovy plugins installed, ThreadFix will create profiles for each one. This is due to the language limitations that Sonar imposes on rules.
Each Quality Profile has an associated startup time and memory cost. To enable ThreadFix quality profiles for only some installed languages, set the following property in your sonar.properties file (in the conf folder).
threadfix.profiles=java,cs
When the ThreadFix plugin starts up, it will only activate plugins in that list. The keys per language are as follows:
ABAP: abap
C: c
Cobol: cobol
C++: cpp
C#: cs
CSS: css
Flex: flex
Groovy: grvy
Java: java
JavaScript: js
Objective-C: objc
PHP: php
PLI: pli
PL/SQL: plsql
Python: py
RPG: rpg
Visual Basic: vb
Visual Basic.NET: vbnet
Web: web
XML: xml
Configuration - Client
The ThreadFix Sonar plugin can be configured in one of two ways. One will pull results from a ThreadFix server for display in the Sonar console, and the other will parse this information from local files directly.
Server mode
To use the ThreadFix server mode, you must navigate to the directory where your project is located and set the following parameters in your Sonar or Maven configuration:
sonar-project.properties
# Activate the ThreadFix Quality Profile
sonar.profile=ThreadFix
# This is the url of your installation with /rest/ at the end.
threadfix.url=https://internal-threadfix/rest/
# Long key generated on API Keys page in the ThreadFix UI
threadfix.apiKey=[THREADFIX_API_KEY]
# Your application's ID in ThreadFix (integer)
threadfix.applicationId=[THREADFIX_APPLICATION_ID]
# or you can use this (use when you only have one application with that name)
threadfix.applicationName=[THREADFIX_APPLICATION_NAME]
# Plus all the normal Sonar project setup stuff...
sonar.projectKey=[PROJECT_KEY]
sonar.projectName=[PROJECT_NAME]
sonar.projectVersion=[PROJECT_VERSION]
sonar.sources=[PATH_TO_SOURCES]
Maven
<properties>
<!-- Activate the ThreadFix Quality Profile -->
<sonar.profile>ThreadFix</sonar.profile>
<!-- This is the url of your installation with /rest/ at the end. -->
<threadfix.url>https://internal-threadfix/rest/</threadfix.url>
<!-- Long key generated on API Keys page in the ThreadFix UI -->
<threadfix.apiKey>[THREADFIX_API_KEY]</threadfix.apiKey>
<!-- Your application's ID in ThreadFix -->
<threadfix.applicationId>[THREADFIX_APPLICATION_ID]</threadfix.applicationId>
<!-- or you can use this (use when you only have one application with that name) -->
<threadfix.applicationName>[THREADFIX_APPLICATION_NAME]</threadfix.applicationName>
</properties>When the analysis runs, the plugin will query the ThreadFix server for information such as markers.
Local mode
Similarly, to use Sonar with ThreadFix in local mode, you must navigate to the directory where your project is located and set the following parameters in your Sonar or Maven configuration:
sonar-runner.properties
Maven
Using local files limits you to one file per scanner per project (i.e. only one scan file from OWASP ZAP). While specifying more would be technically feasible, ThreadFix requires that scan files from a specific scanner be loaded in chronological order. The plugin currently does not sort scan files per scanner to get the most recent.
That said, the plugin does perform merges across scanners so multiple scan files can be loaded as long as they are all from different scanners. It also performs Hybrid Analysis Mapping (HAM) so that static scans and dynamic scans are merged. This also allows dynamic scan results to be viewed in Sonar by mapping dynamic results to the responsible source file, this displaying these results alongside the appropriate code.
Table of Contents
- 1 You will learn
- 1.1 Installation
- 1.1.1 Configuration - Server
- 1.1.2 Configuration - Client
- 1.2 Server mode
- 1.2.1 sonar-project.properties
- 1.2.2 Maven
- 1.3 Local mode
- 1.3.1 sonar-runner.properties
- 1.3.2 Maven
- 1.1 Installation
- 2 Table of Contents
www.threadfix.it | www.coalfire.com
Copyright © 2024 Coalfire. All rights reserved.
This Information Security Policy is CoalFire - Public: Distribution of this material is not limited.