9

I'm looking for a Static Application Security Testing (SAST) tool and I can't afford the commercial products (eg. Checkmarx).

SonarQube is a great static code analysis tool but I notice that there is only a few rules of the "Vulnerabilities" type ("Vulnerabilities" equals "Security", am I right?).

I plan to extend some custom plugins including a lot of vulnerabilities rules (maybe hundreds of rules for C/C++, Java, and other languages that SonarQube supports).

Is that a practicable way to make SonarQube a "Checkmarx like" tool? Or is SonarQube suitable for static security testing? (I'm not sure if Sonar Scanner is suitable for scanning security problems)

Thanks a lot!

U880D
  • 8,601
  • 6
  • 24
  • 40
DogJunior
  • 91
  • 1
  • 1
  • 6
  • Today SonarQube as is cannot replace the Checkmarx tool. Maybe end 2018/2019 the story would be different. – Jeroen Heier Nov 24 '17 at 18:02
  • 1
    Sonarqube now has security rules for OWASP top 10 2017 in addition to other security vulnerability rules. [https://docs.sonarqube.org/latest/user-guide/security-rules/](https://docs.sonarqube.org/latest/user-guide/security-rules/) – whitestryder Nov 12 '19 at 17:28
  • 2
    And this link says Sonarqube now performs SAST: [https://www.sonarqube.org/features/security/](https://www.sonarqube.org/features/security/) – whitestryder Nov 12 '19 at 17:39
  • 1
    So @JeroenHeier, what is your opinion now, in 2020? – Attila Csipak May 01 '20 at 16:32
  • 1
    @Attila Csipak You can have a look here: https://www.itcentralstation.com/products/comparisons/checkmarx_vs_sonarqube – Jeroen Heier Jun 20 '20 at 11:40
  • This report tries to aggregate user reviews, which are wildly subjective. Maybe there are more objective means to compare SAST tools. For example I read a Gartner research paper comparing SAST (and other security) tools recently. Regrettably SonarQube wasn't included for various reasons (being OSS-based, not primarily security-focused etc.). Thanks anyways for pointing me towards IT Central Station. – Attila Csipak Jun 24 '20 at 08:07

4 Answers4

5

There is a separate SAST tool released by OWASP team named "OWASP SonarQube". This is developed using the sonarqube tool, but as a SAST tool.

This tool can be integrated with your project build same as the SonarQube integration. So if you are familiar with SonarQube, it will be a straightforward move.

lkamal
  • 3,788
  • 1
  • 20
  • 34
  • The associated github repo has been archived and is read-only. It looks to me like the OWASP SonarQube project has been retired. https://community.sonarsource.com/t/owasp-sonarqube-project/36920/2 – Paul G Feb 01 '21 at 21:18
  • 2
    @PaulG - however, the sonarqube product still supports security tests as a SAST tool as per the website https://www.sonarqube.org/features/security/ – lkamal Feb 02 '21 at 10:32
2

I don't know *heckmarx but if you only filter for vulnerabilities you may only see 33 rules. If you however filter for different standards like SANS, SWE, CERT and the like there are many more: https://www.sonarsource.com/products/codeanalyzers/sonarjava/rules.html#CERT

Also you can add findbugs with the secbugs plugin which has over 125 securitys bug pattern... You may have to deactivate the redundant, though (and it is only for java...)

Lonzak
  • 9,334
  • 5
  • 57
  • 88
2

As there is no recent answer and the others are very old; here is an update from 2023: Depending on your language requirements, then yes; SonarQube can be used for SAST including the free community edition.

For details have a look at https://www.sonarsource.com/solutions/security/

M_dk
  • 2,185
  • 1
  • 13
  • 15
-3

I would like to to draw your attention to the PVS-Studio tool. It is orientated not only on the code quality control (search code smells), but also on the search of real errors and potential vulnerabilities. Here is the list, showing a сonsistency between PVS-Studio and CWE diagnostics. Soon it will be available to work in CWE code mode in the PVS-Studio interface. It is planned for the next PVS-Studio 6.20 release.

PVS-Studio is a tool for bug detection in the source code of programs, written in C, C++, and C#. It works in Windows and Linux environment. Another pleasant addition is the ability to integrate PVS-Studio with SonarQube.

AndreyKarpov
  • 1,083
  • 6
  • 17