Sonar Plugin

Installation

The ThreadFix SonarQube plugin can be downloaded from the "Download Tools" page inside of ThreadFix. This is located under the cog menu in the top-right corner.

To install the ThreadFix Sonar plugin, put the jar in the plugins folder (located at SONAR_HOME/extensions/plugins) and restart Sonar. You can verify that the plugin was installed correctly by looking for the ThreadFix widget in the dashboard widget configuration.

Configuration - Server

By default, ThreadFix will create a new Quality Profile for each language in the Sonar system. If you have the C#, Java, and Groovy plugins installed, ThreadFix will create profiles for each one. This is due to the language limitations that Sonar imposes on rules.

Each Quality Profile has an associated startup time and memory cost. To enable ThreadFix quality profiles for only some installed languages, set the following property in your sonar.properties file (in the conf folder).

threadfix.profiles=java,cs

When the ThreadFix plugin starts up, it will only activate plugins in that list. The keys per language are as follows:

  • ABAP: abap
  • C: c
  • Cobol: cobol
  • C++: cpp
  • C#: cs
  • CSS: css
  • Flex: flex
  • Groovy: grvy
  • Java: java
  • JavaScript: js
  • Objective-C: objc
  • PHP: php
  • PLI: pli
  • PL/SQL: plsql
  • Python: py
  • RPG: rpg
  • Visual Basic: vb
  • Visual Basic.NET: vbnet
  • Web: web
  • XML: xml

Configuration - Client

The ThreadFix Sonar plugin can be configured in one of two ways. One will pull results from a ThreadFix server for display in the Sonar console, and the other will parse this information from local files directly.

Server mode

To use the ThreadFix server mode, you must navigate to the directory where your project is located and set the following parameters in your Sonar or Maven configuration:

sonar-project.properties

# Activate the ThreadFix Quality Profile
sonar.profile=ThreadFix

# This is the url of your installation with /rest/ at the end.
threadfix.url=https://internal-threadfix/rest/

# Long key generated on API Keys page in the ThreadFix UI
threadfix.apiKey=[THREADFIX_API_KEY]

# Your application's ID in ThreadFix (integer)
threadfix.applicationId=[THREADFIX_APPLICATION_ID]
# or you can use this (use when you only have one application with that name)
threadfix.applicationName=[THREADFIX_APPLICATION_NAME]

# Plus all the normal Sonar project setup stuff...

sonar.projectKey=[PROJECT_KEY]
sonar.projectName=[PROJECT_NAME]
sonar.projectVersion=[PROJECT_VERSION]
sonar.sources=[PATH_TO_SOURCES]

Maven

<properties>
    <!-- Activate the ThreadFix Quality Profile -->
    <sonar.profile>ThreadFix</sonar.profile>

    <!-- This is the url of your installation with /rest/ at the end. -->
    <threadfix.url>https://internal-threadfix/rest/</threadfix.url>

    <!-- Long key generated on API Keys page in the ThreadFix UI -->
    <threadfix.apiKey>[THREADFIX_API_KEY]</threadfix.apiKey>

    <!-- Your application's ID in ThreadFix -->
    <threadfix.applicationId>[THREADFIX_APPLICATION_ID]</threadfix.applicationId>
    <!-- or you can use this (use when you only have one application with that name) -->
    <threadfix.applicationName>[THREADFIX_APPLICATION_NAME]</threadfix.applicationName>
</properties>

When the analysis runs, the plugin will query the ThreadFix server for information such as markers.

Local mode

Similarly, to use Sonar with ThreadFix in local mode, you must navigate to the directory where your project is located and set the following parameters in your Sonar or Maven configuration:

sonar-runner.properties

# Activate the ThreadFix Quality Profile
sonar.profile=ThreadFix

# Enter one or more of the following.
# These are the full file paths:
threadfix.localFiles=/path/to/file.xml,/path/to/other/file.xml

# These are directories with scan files in them
threadfix.localDirectories=/path/to/scan/files/directory

Maven

<properties>
    <!-- Activate the ThreadFix Quality Profile -->
    <sonar.profile>ThreadFix</sonar.profile>

    <!-- These are the full file paths: -->
    <threadfix.localFiles>/path/to/file.xml,/path/to/other/file.xml</threadfix.localFiles>

    <!-- These are directories with scan files in them -->
    <threadfix.localDirectories>/path/to/scan/files/directory</threadfix.localDirectories>
</properties>

Using local files limits you to one file per scanner per project (i.e. only one scan file from OWASP ZAP). While specifying more would be technically feasible, ThreadFix requires that scan files from a specific scanner be loaded in chronological order. The plugin currently does not sort scan files per scanner to get the most recent.

That said, the plugin does perform merges across scanners so multiple scan files can be loaded as long as they are all from different scanners. It also performs Hybrid Analysis Mapping (HAM) so that static scans and dynamic scans are merged. This also allows dynamic scan results to be viewed in Sonar by mapping dynamic results to the responsible source file, this displaying these results alongside the appropriate code.