Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature: Detect Sonar as SAST via pom.xml #2085

Closed
edwardsph opened this issue Jul 21, 2022 · 8 comments
Closed

Feature: Detect Sonar as SAST via pom.xml #2085

edwardsph opened this issue Jul 21, 2022 · 8 comments
Assignees
@laurentsimon
Labels
kind/enhancement New feature or request

Comments

@edwardsph
Copy link

Can you add support for detecting the use of SonarQube as well as SonarCloud. This would tend to be used on private repositories when people run Sonar in-house. For Java projects you would see this running as part of the Maven build or similar.
@edwardsph edwardsph added the kind/enhancement New feature or request label Jul 21, 2022
@naveensrinivasan
Copy link
Member

Thanks, Would you like to a PR for this?

@edwardsph
Copy link
Author

edwardsph commented Jul 21, 2022
edited
Loading

I had a look at the code and wasn't sure what it was doing - I don't know Go

@laurentsimon
Copy link
Contributor

@edwardsph is the setup using a config file committed to a repository?
Do you use https://github.com/SonarSource/sonarqube-scan-action?

The only way scorecard can detect it is if something is visible in the repository: files, directories, settings, etc

If it's only on a developer's machine, scorecard won't be able to detect it.

Can you tell us more how it works?

@edwardsph
Copy link
Author

We don't use the action. The Sonar analysis is run within the Maven build during the CI/CD process so there is a GitHub workflow which runs ./mvnw sonar:sonar. The other evidence will be properties in the POM file such as sonar.host.url. Can that be used to detect Sonar?

@laurentsimon
Copy link
Contributor

Yes, this should help. Can you link to an example of POM file you use?
Looks like https://docs.sonarqube.org/latest/analysis/scan/sonarscanner-for-maven/:

<sonar.host.url>
       http://myserver:9000
</sonar.host.url>

Correct?

What is the name of the file: pom.yml or settings.yml or something else?
Where does the file live: anywhere in the repo or a specific location?

@edwardsph
Copy link
Author

Here is a link to a POM on an open source repo using SonarCloud: https://github.com/solid-contrib/conformance-test-harness/blob/main/pom.xml - it has properties:

        <sonar.organization>solid-contrib</sonar.organization>
        <sonar.host.url>https://sonarcloud.io</sonar.host.url>

The pom.xml is expected to be in the project root.
For a SonarQube example here are examples of the properties in use (I can't link as it is a private repo):

    <sonar.coverage.jacoco.xmlReportPaths>target/jacoco-report/jacoco.xml</sonar.coverage.jacoco.xmlReportPaths>
    <sonar.host.url>https://sonarqube.private.domain</sonar.host.url>
    <sonar.projectKey>${projectKey}</sonar.projectKey>
    <sonar.moduleKey>${project.artifactId}</sonar.moduleKey>

@laurentsimon laurentsimon self-assigned this Aug 1, 2022
@laurentsimon laurentsimon mentioned this issue Aug 1, 2022
Merged
@laurentsimon
Copy link
Contributor

I've send #2114

@edwardsph edwardsph changed the title Feature Feature: Detect Sonar as SAST via pom.xml Aug 4, 2022
@spencerschrock
Copy link
Member

Closing as this PR was merged. Re-open if it wasn't addressed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@laurentsimon laurentsimon

Labels
kind/enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@naveensrinivasan @spencerschrock @edwardsph @laurentsimon