scorecard icon indicating copy to clipboard operation
scorecard copied to clipboard
verified publisher icon ossf

Feature: Detect Sonar as SAST via pom.xml

Open edwardsph opened this issue 3 years ago • 7 comments

Can you add support for detecting the use of SonarQube as well as SonarCloud. This would tend to be used on private repositories when people run Sonar in-house. For Java projects you would see this running as part of the Maven build or similar.

edwardsph avatar Jul 21 '22 11:07 edwardsph

Thanks, Would you like to a PR for this?

naveensrinivasan avatar Jul 21 '22 13:07 naveensrinivasan

I had a look at the code and wasn't sure what it was doing - I don't know Go

edwardsph avatar Jul 21 '22 13:07 edwardsph

@edwardsph is the setup using a config file committed to a repository? Do you use https://github.com/SonarSource/sonarqube-scan-action?

The only way scorecard can detect it is if something is visible in the repository: files, directories, settings, etc

If it's only on a developer's machine, scorecard won't be able to detect it.

Can you tell us more how it works?

laurentsimon avatar Jul 22 '22 21:07 laurentsimon

We don't use the action. The Sonar analysis is run within the Maven build during the CI/CD process so there is a GitHub workflow which runs ./mvnw sonar:sonar. The other evidence will be properties in the POM file such as sonar.host.url. Can that be used to detect Sonar?

edwardsph avatar Aug 01 '22 11:08 edwardsph

Yes, this should help. Can you link to an example of POM file you use? Looks like https://docs.sonarqube.org/latest/analysis/scan/sonarscanner-for-maven/:

<sonar.host.url>
       http://myserver:9000
</sonar.host.url>

Correct?

What is the name of the file: pom.yml or settings.yml or something else? Where does the file live: anywhere in the repo or a specific location?

laurentsimon avatar Aug 01 '22 15:08 laurentsimon

Here is a link to a POM on an open source repo using SonarCloud: https://github.com/solid-contrib/conformance-test-harness/blob/main/pom.xml - it has properties:

        <sonar.organization>solid-contrib</sonar.organization>
        <sonar.host.url>https://sonarcloud.io</sonar.host.url>

The pom.xml is expected to be in the project root. For a SonarQube example here are examples of the properties in use (I can't link as it is a private repo):

    <sonar.coverage.jacoco.xmlReportPaths>target/jacoco-report/jacoco.xml</sonar.coverage.jacoco.xmlReportPaths>
    <sonar.host.url>https://sonarqube.private.domain</sonar.host.url>
    <sonar.projectKey>${projectKey}</sonar.projectKey>
    <sonar.moduleKey>${project.artifactId}</sonar.moduleKey>

edwardsph avatar Aug 01 '22 16:08 edwardsph

I've send https://github.com/ossf/scorecard/pull/2114

laurentsimon avatar Aug 01 '22 20:08 laurentsimon

Closing as this PR was merged. Re-open if it wasn't addressed.

spencerschrock avatar Aug 30 '23 18:08 spencerschrock