├── plugin └── src │ └── main │ ├── resources │ ├── rules.yml │ ├── static │ │ ├── star_rating_0.png │ │ ├── star_rating_1.png │ │ ├── star_rating_2.png │ │ ├── star_rating_3.png │ │ ├── star_rating_4.png │ │ ├── star_rating_5.png │ │ ├── skinny_up_arrow.png │ │ ├── star_rating_0_5.png │ │ ├── star_rating_1_5.png │ │ ├── star_rating_2_5.png │ │ ├── star_rating_3_5.png │ │ ├── star_rating_4_5.png │ │ └── skinny_right_arrow.png │ ├── org │ │ └── sonar │ │ │ └── l10n │ │ │ ├── fortify.properties │ │ │ └── fortify_it.properties │ ├── metrics-fod.yml │ └── FortifyRuleDescription.html │ └── java │ └── com │ └── fortify │ └── integration │ └── sonarqube │ ├── common │ ├── issue │ │ ├── IFortifySourceSystemIssueQueryHelper.java │ │ ├── IFortifyIssueInputFileRetriever.java │ │ ├── IFortifyIssueRuleKeysRetriever.java │ │ ├── AbstractFortifySourceSystemIssueQueryHelper.java │ │ ├── IFortifySourceSystemIssueFieldRetriever.java │ │ ├── AbstractFortifySourceSystemIssueFieldRetriever.java │ │ ├── IFortifyIssueJSONMapProcessorFactory.java │ │ ├── FortifyIssueRuleKeysRetrieverSingleRule.java │ │ ├── FortifyIssueRuleKeysRetrieverExternalList.java │ │ └── FortifyIssueInputFileRetrieverPathBased.java │ ├── IFortifyExtensionProvider.java │ ├── source │ │ ├── fod │ │ │ ├── scanner │ │ │ │ └── IFortifyFoDScannerSideConnectionHelper.java │ │ │ ├── metrics │ │ │ │ ├── FortifyFoDConfigurableMetrics.java │ │ │ │ └── FortifyFoDConnectionPropertiesMetrics.java │ │ │ ├── FortifyCommonFoDExtensionProvider.java │ │ │ ├── IFortifyFoDConnectionHelper.java │ │ │ ├── issue │ │ │ │ └── FortifyFoDIssueQueryHelper.java │ │ │ └── ce │ │ │ │ └── FortifyFoDConfigurableMeasureComputer.java │ │ └── ssc │ │ │ ├── scanner │ │ │ └── IFortifySSCScannerSideConnectionHelper.java │ │ │ ├── metrics │ │ │ ├── FortifySSCConfigurableMetrics.java │ │ │ └── FortifySSCConnectionPropertiesMetrics.java │ │ │ ├── FortifyCommonSSCExtensionProvider.java │ │ │ ├── IFortifySSCConnectionHelper.java │ │ │ └── issue │ │ │ ├── FortifySSCIssueQueryHelper.java │ │ │ └── FortifySSCIssueFieldsRetriever.java │ ├── ce │ │ └── IFortifyComputeEngineSideConnectionHelper.java │ ├── IFortifyConnectionHelper.java │ ├── FortifyCommonExtensionProvider.java │ ├── profile │ │ └── FortifyProfile.java │ ├── metrics │ │ └── AbstractFortifyConfigurableMetrics.java │ ├── FortifyConstants.java │ └── package-info.java │ ├── sq67 │ ├── FortifySQ67ExtensionProvider.java │ ├── package-info.java │ ├── source │ │ ├── fod │ │ │ ├── scanner │ │ │ │ ├── FortifyFoDSQ67ScannerSideConnectionHelper.java │ │ │ │ └── FortifyFoDSQ67ConnectionPropertiesMetricsSensor.java │ │ │ └── FortifyFoDSQ67ExtensionProvider.java │ │ └── ssc │ │ │ ├── scanner │ │ │ ├── FortifySSCSQ67ScannerSideConnectionHelper.java │ │ │ ├── FortifySSCSQ67UploadFPRStartable.java │ │ │ └── FortifySSCSQ67ConnectionPropertiesMetricsSensor.java │ │ │ ├── FortifySSCSQ67ExtensionProvider.java │ │ │ └── ui │ │ │ └── FortifySSCWidget.java │ ├── issue │ │ └── FortifySQ67IssueJSONMapProcessorFactory.java │ └── scanner │ │ └── FortifySQ67AbstractSensor.java │ └── sq76 │ ├── FortifySQ76ExtensionProvider.java │ ├── source │ ├── fod │ │ ├── scanner │ │ │ ├── FortifyFoDSQ76ScannerSideConnectionHelper.java │ │ │ ├── FortifyFoDSQ76ConnectionPropertiesMetricsSensor.java │ │ │ └── FortifyFoDSQ76IssueSensor.java │ │ └── FortifyFoDSQ76ExtensionProvider.java │ └── ssc │ │ ├── scanner │ │ ├── FortifySSCSQ76ScannerSideConnectionHelper.java │ │ ├── FortifySSCSQ76UploadFPRStartable.java │ │ ├── FortifySSCSQ76ConnectionPropertiesMetricsSensor.java │ │ └── FortifySSCSQ76IssueSensor.java │ │ └── FortifySSCSQ76ExtensionProvider.java │ ├── package-info.java │ └── scanner │ └── FortifySQ76AbstractProjectSensor.java ├── .travis.yml ├── .gitignore ├── dist └── src │ ├── site │ ├── markdown │ │ ├── index.md │ │ ├── sonar-rules.md │ │ ├── fod-usage.md │ │ ├── sonar-config.md │ │ ├── compatibility.md │ │ ├── ssc-artifacts.md │ │ ├── sonar-install.md │ │ ├── sonar-files.md │ │ ├── ssc-usage.md │ │ └── ssc-prep.md │ └── site.xml │ ├── license │ ├── licenses.xml │ └── THIRD-PARTY.properties │ └── main │ └── assembly │ └── dist.xml ├── LICENSE.TXT ├── common ├── src │ └── main │ │ └── java │ │ └── com │ │ └── fortify │ │ └── integration │ │ └── sonarqube │ │ └── common │ │ ├── IMetricsExpressionField.java │ │ ├── config │ │ ├── AbstractYmlConfig.java │ │ ├── RulesConfig.java │ │ ├── AbstractPropertyChangeSupport.java │ │ └── AbstractYmlRootConfig.java │ │ ├── SourceSystem.java │ │ ├── fod │ │ └── FoDMetricsExpressionField.java │ │ ├── externalmetadata │ │ ├── ExternalCategory.java │ │ └── FortifyExternalMetadata.java │ │ ├── ssc │ │ └── SSCMetricsExpressionField.java │ │ └── MetricsExpressionFieldsHTMLDescriptionHelper.java └── pom.xml ├── TODO.txt └── configure └── src └── main └── java └── com └── fortify └── integration └── sonarqube └── configure └── ExpressionHelpDialog.java /plugin/src/main/resources/rules.yml: -------------------------------------------------------------------------------- 1 | rulesSourceName: "Single Fortify Rule" -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | sudo: false 2 | dist: bionic 3 | language: java 4 | jdk: openjdk11 -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .classpath 2 | .project 3 | .settings/ 4 | target/ 5 | *.fpr 6 | **/.factorypath 7 | -------------------------------------------------------------------------------- /plugin/src/main/resources/static/star_rating_0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fortify-ps/fortify-integration-sonarqube/HEAD/plugin/src/main/resources/static/star_rating_0.png -------------------------------------------------------------------------------- /plugin/src/main/resources/static/star_rating_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fortify-ps/fortify-integration-sonarqube/HEAD/plugin/src/main/resources/static/star_rating_1.png -------------------------------------------------------------------------------- /plugin/src/main/resources/static/star_rating_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fortify-ps/fortify-integration-sonarqube/HEAD/plugin/src/main/resources/static/star_rating_2.png -------------------------------------------------------------------------------- /plugin/src/main/resources/static/star_rating_3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fortify-ps/fortify-integration-sonarqube/HEAD/plugin/src/main/resources/static/star_rating_3.png -------------------------------------------------------------------------------- /plugin/src/main/resources/static/star_rating_4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fortify-ps/fortify-integration-sonarqube/HEAD/plugin/src/main/resources/static/star_rating_4.png -------------------------------------------------------------------------------- /plugin/src/main/resources/static/star_rating_5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fortify-ps/fortify-integration-sonarqube/HEAD/plugin/src/main/resources/static/star_rating_5.png -------------------------------------------------------------------------------- /plugin/src/main/resources/static/skinny_up_arrow.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fortify-ps/fortify-integration-sonarqube/HEAD/plugin/src/main/resources/static/skinny_up_arrow.png -------------------------------------------------------------------------------- /plugin/src/main/resources/static/star_rating_0_5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fortify-ps/fortify-integration-sonarqube/HEAD/plugin/src/main/resources/static/star_rating_0_5.png -------------------------------------------------------------------------------- /plugin/src/main/resources/static/star_rating_1_5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fortify-ps/fortify-integration-sonarqube/HEAD/plugin/src/main/resources/static/star_rating_1_5.png -------------------------------------------------------------------------------- /plugin/src/main/resources/static/star_rating_2_5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fortify-ps/fortify-integration-sonarqube/HEAD/plugin/src/main/resources/static/star_rating_2_5.png -------------------------------------------------------------------------------- /plugin/src/main/resources/static/star_rating_3_5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fortify-ps/fortify-integration-sonarqube/HEAD/plugin/src/main/resources/static/star_rating_3_5.png -------------------------------------------------------------------------------- /plugin/src/main/resources/static/star_rating_4_5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fortify-ps/fortify-integration-sonarqube/HEAD/plugin/src/main/resources/static/star_rating_4_5.png -------------------------------------------------------------------------------- /plugin/src/main/resources/static/skinny_right_arrow.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fortify-ps/fortify-integration-sonarqube/HEAD/plugin/src/main/resources/static/skinny_right_arrow.png -------------------------------------------------------------------------------- /dist/src/site/markdown/index.md: -------------------------------------------------------------------------------- 1 | # Introduction 2 | This SonarQube plug-in allows for importing Fortify scan results into SonarQube. This includes the following features: 3 | 4 | * Load vulnerability data from Fortify SSC or Fortify on Demand, and display each vulnerability as a SonarQube issue 5 | * Load various metrics and other meta-data from Fortify SSC or FoD, like issue counts and artifact status. 6 | * These metrics can be used to define Quality Gates. 7 | 8 | 9 | -------------------------------------------------------------------------------- /plugin/src/main/resources/org/sonar/l10n/fortify.properties: -------------------------------------------------------------------------------- 1 | # 2 | # This bundle must be stored in the package org.sonar.l10n and its name must be _.properties 3 | # 4 | fortify.FortifySecurityRating=SSC Security Rating 5 | fortify.FortifyIssuesByFolder=SSC Issues By Folder 6 | fortify.FortifyIssuesByPriority=SSC Issues By Priority 7 | fortify.TotalRemedationEffort = SSC Total Remedation Effort (Hours) 8 | fortify.Impact = Impact 9 | fortify.Likelihood = Likelihood -------------------------------------------------------------------------------- /plugin/src/main/resources/org/sonar/l10n/fortify_it.properties: -------------------------------------------------------------------------------- 1 | # 2 | # This bundle must be stored in the package org.sonar.l10n and its name must be _.properties 3 | # 4 | fortify.FortifySecurityRating=Puntuacion de seguridad Fortify 5 | fortify.FortifyIssuesByFolder=Defectos por Carpeta 6 | fortify.FortifyIssuesByPriority=Defectos por Prioridad 7 | fortify.TotalRemedationEffort = Tiempo de Remediacion Total (Horas) 8 | fortify.Impact = Impacto 9 | fortify.Likelihood = Probabilidad -------------------------------------------------------------------------------- /dist/src/site/markdown/sonar-rules.md: -------------------------------------------------------------------------------- 1 | # Fortify SonarQube rules 2 | Contrary to earlier versions of the plugin, all Fortify-related rules are now defined under the 3 | 'Fortify' language. The plugin defines a default quality profile with all Fortify-related rules 4 | enabled, so you no longer need to manually enable Fortify-related rules for the various 5 | SonarQube-supported languages. 6 | 7 | Of course, you can still disable specific Fortify-related rules in the Fortify Quality Profile 8 | to prevent any vulnerabilities corresponding to these rules to be loaded into SonarQube. 9 | 10 | -------------------------------------------------------------------------------- /dist/src/license/licenses.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 6 | 7 | 8 | net.jcip 9 | jcip-annotations 10 | 11 | 12 | Creative Commons 2.5 Attribution License 13 | 14 | 15 | 16 | 17 | javax.xml.stream 18 | stax-api 19 | 20 | 21 | Dual license: CDDL 1.0 and GPL v2 22 | 23 | 24 | 25 | 26 | -------------------------------------------------------------------------------- /dist/src/license/THIRD-PARTY.properties: -------------------------------------------------------------------------------- 1 | # Generated by org.codehaus.mojo.license.AddThirdPartyMojo 2 | #------------------------------------------------------------------------------- 3 | # Already used licenses in project : 4 | # - Apache 2.0 5 | # - Apache License 2.0 6 | # - BSD 7 | # - BSD style 8 | # - CDDL 1.0 9 | # - CDDL 1.1 10 | # - Dual License: CDDL 1.0 and GPL V2 with Classpath Exception 11 | # - Dual license: CDDL 1.0 and GPL v2 12 | # - Dual license: CDDL 1.1 and GPL v2 13 | # - GNU LGPL 2.1 14 | # - GNU LGPL 3 15 | # - GPL2 w/ CPE 16 | # - Indiana University Extreme! Lab Software License, vesion 1.1.1 17 | # - LGPL 2.1 18 | # - MIT License 19 | # - MPL 1.1 20 | # - Public Domain 21 | # - The BSD License 22 | #------------------------------------------------------------------------------- 23 | # Please fill the missing licenses for dependencies : 24 | # 25 | # 26 | #Wed Jan 10 12:02:47 CET 2018 27 | javax.xml.stream--stax-api--1.0-2=Dual license: CDDL 1.0 and GPL v2 28 | -------------------------------------------------------------------------------- /plugin/src/main/resources/metrics-fod.yml: -------------------------------------------------------------------------------- 1 | metrics: 2 | - key: "fortify.fod.releaseUrl" 3 | name: "FoD Release URL" 4 | domain: "Fortify FoD - Project" 5 | description: "FoD Release URL" 6 | type: "STRING" 7 | qualitative: false 8 | direction: "NONE" 9 | expr: "deepLink" 10 | 11 | - key: "fortify.fod.applicationName" 12 | name: "FoD Application Name" 13 | domain: "Fortify FoD - Project" 14 | description: "FoD Application Name" 15 | type: "STRING" 16 | qualitative: false 17 | direction: "NONE" 18 | expr: "applicationName" 19 | 20 | - key: "fortify.fod.releaseName" 21 | name: "FoD Release Name" 22 | domain: "Fortify FoD - Project" 23 | description: "FoD Release Name" 24 | type: "STRING" 25 | qualitative: false 26 | direction: "NONE" 27 | expr: "releaseName" 28 | 29 | - key: "fortify.fod.rating" 30 | name: "FoD Rating" 31 | domain: "Fortify FoD - Metrics" 32 | description: "FoD Rating" 33 | type: "INT" 34 | qualitative: true 35 | direction: "BETTER" 36 | expr: "rating" -------------------------------------------------------------------------------- /dist/src/site/markdown/fod-usage.md: -------------------------------------------------------------------------------- 1 | # Usage (FoD) 2 | Contrary to most other SonarQube plug-ins, the Fortify plug-in for SonarQube doesn't actually scan any source 3 | code. Instead, vulnerability data is loaded from Fortify on Demand. As such, you will need to separately run a 4 | Fortify on Demand scan before running the SonarQube Fortify plugin. 5 | 6 | So in general the steps to run a SonarQube scan with the Fortify plug-in are as follows: 7 | 8 | * Upload source code to be scanned to Fortify on Demand 9 | * Wait for Fortify on Demand results to be available 10 | * Invoke SonarQube scan with the Fortify plug-in 11 | 12 | Following is an example SonarQube Maven-based scan command that loads vulnerability data from 13 | Fortify on Demand: 14 | 15 | `mvn -X '-Dsonar.fortify.fod.url=https://[region].fortify.com/' -Dsonar.fortify.fod.tenant=[FoD tentant] -Dsonar.fortify.fod.user=[FoD user] '-Dsonar.fortify.fod.password=[FoD password]' "-Dsonar.fortify.fod.release=[FoD release id or application:release name]" sonar:sonar` 16 | -------------------------------------------------------------------------------- /dist/src/site/markdown/sonar-config.md: -------------------------------------------------------------------------------- 1 | # SonarQube Fortify plugin configuration 2 | The plug-in provides various configuration settings, both global and project-specific, that can be configured 3 | through the SonarQube web interface. These settings include SSC or FoD URL and credentials, as well as some 4 | more technical settings. At project level you can define the corresponding SSC application version and SSC 5 | filter set, or FoD application release from which to import vulnerabilities and metrics into SonarQube. Please 6 | see the description for each setting in the SonarQube web interface for more information. 7 | 8 | Note that all settings can also be specified or overridden on the command line when performing a SonarQube 9 | scan. The setting names can be found in the various SonarQube settings pages. For instructions on how to 10 | specify these settings during a SonarQube scan, please see the SonarQube documentation. For example, when 11 | running a Maven-based SonarQube scan, these settings can be provided on the Maven command line using the 12 | `-D[setting name]=[value]` command line options. 13 | -------------------------------------------------------------------------------- /dist/src/site/markdown/compatibility.md: -------------------------------------------------------------------------------- 1 | # Compatibility 2 | The plugin has been tested with SonarQube 6.7.7 and SonarQube 7.6: 3 | 4 | * The plugin will most likely work with other 6.7.x versions 5 | * The plugin will most likely work with any SonarQube version in-between 6.7.7 and 7.6 6 | * The plugin may work with versions later than 7.6 7 | * The plugin is not compatible with versions earlier than 6.7 8 | 9 | Note that the plugin will use 7.6-specific SonarQube API features when running on 10 | SonarQube 7.6 or later. As such, results may be slightly different depending on 11 | which version of SonarQube you are running. 12 | 13 | Note that some editions of SonarQube 7.1 (and possibly other versions) may be lacking the 14 | commons-logging library that is required by this plugin. As SonarQube does not allow plugins 15 | to bundle this library, you may need to manually add this library to your SonarQube lib/common 16 | directory. The library can be downloaded from here: 17 | 18 | 19 | The plugin should be compatible with all recent SSC and FoD versions. 20 | -------------------------------------------------------------------------------- /LICENSE.TXT: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | (c) Copyright 2020 Micro Focus or one of its affiliates, a Micro Focus company 3 | 4 | Permission is hereby granted, free of charge, to any person obtaining a 5 | copy of this software and associated documentation files (the 6 | "Software"), to deal in the Software without restriction, including without 7 | limitation the rights to use, copy, modify, merge, publish, distribute, 8 | sublicense, and/or sell copies of the Software, and to permit persons to 9 | whom the Software is furnished to do so, subject to the following 10 | conditions: 11 | 12 | The above copyright notice and this permission notice shall be included 13 | in all copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | IN THE SOFTWARE. -------------------------------------------------------------------------------- /common/src/main/java/com/fortify/integration/sonarqube/common/IMetricsExpressionField.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.integration.sonarqube.common; 26 | 27 | public interface IMetricsExpressionField { 28 | public String name(); 29 | public String description(); 30 | } 31 | -------------------------------------------------------------------------------- /plugin/src/main/java/com/fortify/integration/sonarqube/common/issue/IFortifySourceSystemIssueQueryHelper.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.integration.sonarqube.common.issue; 26 | 27 | import com.fortify.util.rest.query.IRestConnectionQuery; 28 | 29 | public interface IFortifySourceSystemIssueQueryHelper { 30 | public IRestConnectionQuery getAllIssuesQuery(); 31 | } 32 | -------------------------------------------------------------------------------- /plugin/src/main/resources/FortifyRuleDescription.html: -------------------------------------------------------------------------------- 1 |

HPE Security Fortify Static Code Analyzer (SCA) is used by development groups and security professionals to analyze 2 | the source code of an application for security issues. Using the Fortify SonarQube plug-in, potential vulnerabilities 3 | detected by SCA can be reviewed from within SonarQube.

4 | 5 |

Due to different approaches between SCA and SonarQube for defining rules, scanning source code and presenting the 6 | results, this plug-in works a bit different than most other SonarQube plug-ins:

7 |
    8 |
  • The plug-in collects metrics and issues from Fortify Software Security Center (SSC). 9 |
      10 |
    • As such, source code needs to be scanned separately by SCA and results uploaded to SSC before running 11 | SonarQube analysis to include those results in SonarQube.
      • 12 |
    • Allows for using the full Fortify ecosystem to optimize SCA scan coverage and accuracy.
      • 13 |
    • Allows for using SSC issue templates for organizing and filtering issues, for example based on audit data.
      • 14 |
    • Allows for re-use of SSC metrics like variables and performance indicators.
      • 15 |
    16 |
    • 17 |
  • All Fortify vulnerabilities are mapped to a single catch-all SonarQube rule (for each supported SonarQube language). 18 |
      19 |
    • SonarQube requires the list of all supported rules to be available at plug-in load time.
      • 20 |
    • However, different Fortify scans may use different rule sets, for example different standard rule pack versions 21 | or different sets of custom rules.
      • 22 |
    • Fortify does not provide a public API to retrieve the list of standard rule categories since this is considered 23 | intellectual property.
      • 24 |
    25 |
    • 26 |
27 | -------------------------------------------------------------------------------- /plugin/src/main/java/com/fortify/integration/sonarqube/common/issue/IFortifyIssueInputFileRetriever.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.integration.sonarqube.common.issue; 26 | 27 | import org.sonar.api.batch.fs.InputFile; 28 | 29 | import com.fortify.util.rest.json.JSONMap; 30 | 31 | public interface IFortifyIssueInputFileRetriever { 32 | public InputFile getInputFile(IFortifySourceSystemIssueFieldRetriever issueFieldRetriever, JSONMap issue); 33 | } 34 | -------------------------------------------------------------------------------- /plugin/src/main/java/com/fortify/integration/sonarqube/common/issue/IFortifyIssueRuleKeysRetriever.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.integration.sonarqube.common.issue; 26 | 27 | import java.util.Collection; 28 | 29 | import org.sonar.api.rule.RuleKey; 30 | 31 | import com.fortify.util.rest.json.JSONMap; 32 | 33 | public interface IFortifyIssueRuleKeysRetriever { 34 | public Collection getRuleKeys(IFortifySourceSystemIssueFieldRetriever issueFieldRetriever, JSONMap issue); 35 | } 36 | -------------------------------------------------------------------------------- /dist/src/site/markdown/ssc-artifacts.md: -------------------------------------------------------------------------------- 1 | # Fortify SSC artifact processing 2 | The Fortify SonarQube plugin allows for uploading an FPR file to SSC before having the plugin process the scan results. 3 | When uploading new scan results to Fortify SSC, these scan artifacts first need to be processed by SSC. Depending on 4 | various factors, it may take some time for an uploaded artifact to be processed by SSC, and in some cases processing 5 | may fail or the uploaded artifact may need to be approved. Until an uploaded artifact has been successfully processed, 6 | the newly uploaded scan results will not be available in SSC. 7 | 8 | The Fortify SonarQube plug-in implements various features for handling artifact state: 9 | 10 | * The plug-in will wait for a configured maximum amount of seconds if there is any artifact in the (scheduled for) processing state. 11 | * If the SCA artifact has been processed successfully, results will be loaded from SSC and fed to SonarQube. 12 | * If the time-out has expired while SSC is still processing the results, if the artifact requires approval, or if there was an error during processing, there are two options depending on the `sonar.fortify.ssc.failOnArtifactStates` setting: 13 | * If the artifact status matches one of the states configured through this setting, the plug-in will throw an exception and cause SonarQube processing to be aborted. No Fortify results will be loaded into SonarQube in this case. 14 | * If the artifact status doesn't match any of the states configured through this setting (or if no fail states have been configured), processing will continue as usual. Note however that the information loaded into SonarQube may be out of date in this case. 15 | * In this case you can optionally define quality gates based on the 'Artifact Status' metric. For example you can define a quality gate condition 'Artifact Status is not PROCESS_COMPLETE'. 16 | 17 | 18 | -------------------------------------------------------------------------------- /plugin/src/main/java/com/fortify/integration/sonarqube/common/IFortifyExtensionProvider.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.integration.sonarqube.common; 26 | 27 | import org.sonar.api.Plugin.Context; 28 | 29 | /** 30 | * This interface is used to get version-specific SonarQube extensions. 31 | * 32 | * @author Ruud Senden 33 | * 34 | */ 35 | public interface IFortifyExtensionProvider { 36 | /** 37 | * @param context 38 | * @return A {@link Class} array containing version-specific SonarQube extensions. 39 | */ 40 | public Class[] getExtensions(Context context); 41 | } 42 | -------------------------------------------------------------------------------- /dist/src/site/markdown/sonar-install.md: -------------------------------------------------------------------------------- 1 | # Configuring and installing the plugin 2 | Although the plugin can be installed on SonarQube as-is, the plugin distribution provides 3 | a configuration utility that allows for more advanced configurations: 4 | 5 | * With the default configuration, all Fortify issues will be mapped onto a single SonarQube rule. 6 | The configuration utility allows for downloading externalmetadata.xml from SSC, and use one 7 | of the external groupings defined in this file to define SonarQube rules. For example, 8 | this allows for selecting 'OWASP Top 10 2017' as the rules source, thereby mapping Fortify 9 | issues to SonarQube rules A1 - A10 and Other. 10 | * Note that at the moment, FoD doesn't provide any functionality for retrieving 11 | externalmetadata.xml. However, if you have an SSC instance, you can retrieve 12 | this file from SSC, and the resulting mappings will be used for FoD as well. 13 | * The default configuration provides various standard metrics to be collected from SSC or FoD. 14 | Using the configuration utility, you can add new metrics, or remove predefined metrics. 15 | 16 | As such, it is recommended to run the configuration utility before installing the plugin. The 17 | configuration utility will update the plugin jar file based on the selected configuration settings, 18 | after which you can deploy the plugin jar to SonarQube. 19 | 20 | The configuration utility can be run using the following command: 21 | 22 | `java -jar fortify-sonarqube-plugin-configure-[version].jar` 23 | 24 | It will then ask for the location of the plugin jar, after which you can navigate 25 | through the various tabs to configure the plugin. 26 | 27 | The plugin can then be installed by copying the (configured) fortify-sonarqube-plugin-[version].jar file 28 | to [SonarQube install dir]\extensions\plugins. If you have used earlier versions of the plugin, please 29 | make sure that the SonarQube plugins directory only contains one version of the plugin. 30 | 31 | 32 | -------------------------------------------------------------------------------- /plugin/src/main/java/com/fortify/integration/sonarqube/common/source/fod/scanner/IFortifyFoDScannerSideConnectionHelper.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.integration.sonarqube.common.source.fod.scanner; 26 | 27 | import com.fortify.integration.sonarqube.common.source.fod.IFortifyFoDConnectionHelper; 28 | 29 | /** 30 | * This is just a marker interface for scanner-side {@link IFortifyFoDConnectionHelper} 31 | * implementations. 32 | * 33 | * @author Ruud Senden 34 | * 35 | */ 36 | public interface IFortifyFoDScannerSideConnectionHelper extends IFortifyFoDConnectionHelper { 37 | public String getReleaseNameOrId(); 38 | } 39 | -------------------------------------------------------------------------------- /plugin/src/main/java/com/fortify/integration/sonarqube/common/issue/AbstractFortifySourceSystemIssueQueryHelper.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.integration.sonarqube.common.issue; 26 | 27 | import com.fortify.integration.sonarqube.common.IFortifyConnectionHelper; 28 | 29 | public abstract class AbstractFortifySourceSystemIssueQueryHelper> implements IFortifySourceSystemIssueQueryHelper { 30 | private final CH connHelper; 31 | 32 | public AbstractFortifySourceSystemIssueQueryHelper(CH connHelper) { 33 | this.connHelper = connHelper; 34 | } 35 | 36 | public CH getConnHelper() { 37 | return connHelper; 38 | } 39 | } 40 | -------------------------------------------------------------------------------- /plugin/src/main/java/com/fortify/integration/sonarqube/common/ce/IFortifyComputeEngineSideConnectionHelper.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.integration.sonarqube.common.ce; 26 | 27 | import com.fortify.integration.sonarqube.common.IFortifyConnectionHelper; 28 | import com.fortify.util.rest.connection.IRestConnection; 29 | 30 | /** 31 | * This interface provides helper methods for handling connections to 32 | * the (SSC or FoD) source system at the compute engine side. 33 | * 34 | * @author Ruud Senden 35 | * 36 | * @param 37 | */ 38 | public interface IFortifyComputeEngineSideConnectionHelper extends IFortifyConnectionHelper { 39 | } 40 | -------------------------------------------------------------------------------- /plugin/src/main/java/com/fortify/integration/sonarqube/common/source/ssc/scanner/IFortifySSCScannerSideConnectionHelper.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.integration.sonarqube.common.source.ssc.scanner; 26 | 27 | import com.fortify.integration.sonarqube.common.source.ssc.IFortifySSCConnectionHelper; 28 | 29 | /** 30 | * This is just a marker interface for scanner-side {@link IFortifySSCConnectionHelper} 31 | * implementations. 32 | * 33 | * @author Ruud Senden 34 | * 35 | */ 36 | public interface IFortifySSCScannerSideConnectionHelper extends IFortifySSCConnectionHelper { 37 | public String getApplicationVersionNameOrId(); 38 | public String getFilterSetNameOrGuid(); 39 | } 40 | -------------------------------------------------------------------------------- /plugin/src/main/java/com/fortify/integration/sonarqube/sq67/FortifySQ67ExtensionProvider.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.integration.sonarqube.sq67; 26 | 27 | import org.sonar.api.Plugin.Context; 28 | import org.springframework.stereotype.Component; 29 | 30 | import com.fortify.integration.sonarqube.common.IFortifyExtensionProvider; 31 | import com.fortify.integration.sonarqube.sq67.scanner.FortifySQ67IssueSensorProperties; 32 | 33 | @Component 34 | public class FortifySQ67ExtensionProvider implements IFortifyExtensionProvider { 35 | 36 | @Override 37 | public Class[] getExtensions(Context context) { 38 | return new Class[] { 39 | FortifySQ67IssueSensorProperties.class 40 | }; 41 | } 42 | 43 | } 44 | -------------------------------------------------------------------------------- /plugin/src/main/java/com/fortify/integration/sonarqube/sq76/FortifySQ76ExtensionProvider.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.integration.sonarqube.sq76; 26 | 27 | import org.sonar.api.Plugin.Context; 28 | import org.springframework.stereotype.Component; 29 | 30 | import com.fortify.integration.sonarqube.common.IFortifyExtensionProvider; 31 | import com.fortify.integration.sonarqube.sq76.scanner.FortifySQ76IssueSensorProperties; 32 | 33 | @Component 34 | public class FortifySQ76ExtensionProvider implements IFortifyExtensionProvider { 35 | 36 | @Override 37 | public Class[] getExtensions(Context context) { 38 | return new Class[] { 39 | FortifySQ76IssueSensorProperties.class 40 | }; 41 | } 42 | 43 | } 44 | -------------------------------------------------------------------------------- /plugin/src/main/java/com/fortify/integration/sonarqube/common/source/fod/metrics/FortifyFoDConfigurableMetrics.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.integration.sonarqube.common.source.fod.metrics; 26 | 27 | import com.fortify.integration.sonarqube.common.SourceSystem; 28 | import com.fortify.integration.sonarqube.common.config.MetricsConfig; 29 | import com.fortify.integration.sonarqube.common.metrics.AbstractFortifyConfigurableMetrics; 30 | 31 | public final class FortifyFoDConfigurableMetrics extends AbstractFortifyConfigurableMetrics { 32 | public static final MetricsConfig METRICS_CONFIG = MetricsConfig.load(SourceSystem.FoD); 33 | 34 | public FortifyFoDConfigurableMetrics() { 35 | super(METRICS_CONFIG); 36 | } 37 | } -------------------------------------------------------------------------------- /plugin/src/main/java/com/fortify/integration/sonarqube/common/source/ssc/metrics/FortifySSCConfigurableMetrics.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.integration.sonarqube.common.source.ssc.metrics; 26 | 27 | import com.fortify.integration.sonarqube.common.SourceSystem; 28 | import com.fortify.integration.sonarqube.common.config.MetricsConfig; 29 | import com.fortify.integration.sonarqube.common.metrics.AbstractFortifyConfigurableMetrics; 30 | 31 | public final class FortifySSCConfigurableMetrics extends AbstractFortifyConfigurableMetrics { 32 | public static final MetricsConfig METRICS_CONFIG = MetricsConfig.load(SourceSystem.SSC); 33 | 34 | public FortifySSCConfigurableMetrics() { 35 | super(METRICS_CONFIG); 36 | } 37 | } -------------------------------------------------------------------------------- /common/src/main/java/com/fortify/integration/sonarqube/common/config/AbstractYmlConfig.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.integration.sonarqube.common.config; 26 | 27 | import com.fasterxml.jackson.core.JsonProcessingException; 28 | import com.fasterxml.jackson.databind.ObjectMapper; 29 | import com.fasterxml.jackson.dataformat.yaml.YAMLFactory; 30 | 31 | public class AbstractYmlConfig extends AbstractPropertyChangeSupport { 32 | protected static final ObjectMapper MAPPER = new ObjectMapper(new YAMLFactory()); 33 | 34 | @Override 35 | public String toString() { 36 | try { 37 | return MAPPER.writeValueAsString(this); 38 | } catch (JsonProcessingException e) { 39 | return super.toString(); 40 | } 41 | } 42 | } 43 | -------------------------------------------------------------------------------- /plugin/src/main/java/com/fortify/integration/sonarqube/common/issue/IFortifySourceSystemIssueFieldRetriever.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.integration.sonarqube.common.issue; 26 | 27 | import org.sonar.api.batch.rule.Severity; 28 | 29 | import com.fortify.util.rest.json.JSONMap; 30 | 31 | public interface IFortifySourceSystemIssueFieldRetriever { 32 | public String getId(JSONMap issue); 33 | public String getFileName(JSONMap issue); 34 | public String getFriority(JSONMap issue); 35 | public Severity getSeverity(JSONMap issue); 36 | public Integer getLineNumber(JSONMap issue); 37 | public String getCategory(JSONMap issue); 38 | public String getDeepLink(JSONMap issue); 39 | public String getRuleDescription(JSONMap issue); 40 | } 41 | -------------------------------------------------------------------------------- /plugin/src/main/java/com/fortify/integration/sonarqube/common/issue/AbstractFortifySourceSystemIssueFieldRetriever.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.integration.sonarqube.common.issue; 26 | 27 | import org.apache.commons.lang.StringUtils; 28 | import org.sonar.api.batch.rule.Severity; 29 | 30 | import com.fortify.integration.sonarqube.common.FortifyConstants; 31 | import com.fortify.util.rest.json.JSONMap; 32 | 33 | public abstract class AbstractFortifySourceSystemIssueFieldRetriever implements IFortifySourceSystemIssueFieldRetriever { 34 | @Override 35 | public Severity getSeverity(JSONMap issue) { 36 | String friority = StringUtils.lowerCase(getFriority(issue)); 37 | return FortifyConstants.FRIORITY_TO_SEVERITY(friority); 38 | } 39 | 40 | } 41 | -------------------------------------------------------------------------------- /plugin/src/main/java/com/fortify/integration/sonarqube/common/issue/IFortifyIssueJSONMapProcessorFactory.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.integration.sonarqube.common.issue; 26 | 27 | import org.sonar.api.batch.sensor.SensorContext; 28 | 29 | import com.fortify.integration.sonarqube.common.issue.FortifyIssuesProcessor.CacheHelper; 30 | import com.fortify.util.rest.json.processor.IJSONMapProcessor; 31 | 32 | public interface IFortifyIssueJSONMapProcessorFactory { 33 | public IJSONMapProcessor getProcessor(SensorContext context, IFortifyIssueRuleKeysRetriever issueRuleKeyRetriever, IFortifyIssueInputFileRetriever issueInputFileRetriever, CacheHelper cacheHelper); 34 | public IFortifySourceSystemIssueFieldRetriever getIssueFieldRetriever(); 35 | } 36 | -------------------------------------------------------------------------------- /plugin/src/main/java/com/fortify/integration/sonarqube/common/IFortifyConnectionHelper.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.integration.sonarqube.common; 26 | 27 | import com.fortify.util.rest.connection.IRestConnection; 28 | 29 | /** 30 | * This interface provides helper methods for handling connections to 31 | * the (SSC or FoD) source system. 32 | * 33 | * @author Ruud Senden 34 | * 35 | * @param 36 | */ 37 | public interface IFortifyConnectionHelper { 38 | 39 | /** 40 | * @return connection instance, or null if not available/configured 41 | */ 42 | C getConnection(); 43 | 44 | /** 45 | * @return true if the SSC connection and application version id is available, false otherwise 46 | */ 47 | boolean isConnectionAvailable(); 48 | 49 | } -------------------------------------------------------------------------------- /common/src/main/java/com/fortify/integration/sonarqube/common/config/RulesConfig.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.integration.sonarqube.common.config; 26 | 27 | public class RulesConfig extends AbstractYmlRootConfig { 28 | public static final String SINGLE_RULE_SOURCE_NAME = "Single Fortify Rule"; 29 | private String rulesSourceName = SINGLE_RULE_SOURCE_NAME; 30 | 31 | public static final RulesConfig load() { 32 | return load("rules.yml", RulesConfig.class); 33 | } 34 | 35 | public String getRulesSourceName() { 36 | return rulesSourceName; 37 | } 38 | 39 | public void setRulesSourceName(String newValue) { 40 | String oldValue = this.rulesSourceName; 41 | this.rulesSourceName = newValue; 42 | propertyChangeSupport.firePropertyChange("key", oldValue, newValue); 43 | } 44 | } 45 | -------------------------------------------------------------------------------- /common/src/main/java/com/fortify/integration/sonarqube/common/SourceSystem.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.integration.sonarqube.common; 26 | 27 | import com.fortify.integration.sonarqube.common.fod.FoDMetricsExpressionField; 28 | import com.fortify.integration.sonarqube.common.ssc.SSCMetricsExpressionField; 29 | 30 | public enum SourceSystem { 31 | SSC, FoD; 32 | 33 | public String id() { 34 | return name().toLowerCase(); 35 | } 36 | 37 | public String getMetricsExpressionFieldsHTMLDescription() { 38 | switch (this) { 39 | case SSC: return SSCMetricsExpressionField.getMetricsExpressionFieldsHTMLDescription(); 40 | case FoD: return FoDMetricsExpressionField.getMetricsExpressionFieldsHTMLDescription(); 41 | default: throw new RuntimeException("Unknown enum value "+this.name()); 42 | } 43 | } 44 | } 45 | -------------------------------------------------------------------------------- /plugin/src/main/java/com/fortify/integration/sonarqube/common/issue/FortifyIssueRuleKeysRetrieverSingleRule.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.integration.sonarqube.common.issue; 26 | 27 | import java.util.Arrays; 28 | import java.util.Collection; 29 | 30 | import org.sonar.api.batch.rule.ActiveRule; 31 | import org.sonar.api.rule.RuleKey; 32 | 33 | import com.fortify.util.rest.json.JSONMap; 34 | 35 | public class FortifyIssueRuleKeysRetrieverSingleRule implements IFortifyIssueRuleKeysRetriever { 36 | private final ActiveRule activeRule; 37 | 38 | public FortifyIssueRuleKeysRetrieverSingleRule(ActiveRule activeRule) { 39 | this.activeRule = activeRule; 40 | } 41 | 42 | @Override 43 | public Collection getRuleKeys(IFortifySourceSystemIssueFieldRetriever issueFieldRetriever, JSONMap issue) { 44 | return Arrays.asList(activeRule.ruleKey()); 45 | } 46 | 47 | } 48 | -------------------------------------------------------------------------------- /plugin/src/main/java/com/fortify/integration/sonarqube/common/FortifyCommonExtensionProvider.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.integration.sonarqube.common; 26 | 27 | import org.sonar.api.Plugin.Context; 28 | import org.springframework.stereotype.Component; 29 | 30 | import com.fortify.integration.sonarqube.common.language.FortifyLanguage; 31 | import com.fortify.integration.sonarqube.common.profile.FortifyProfile; 32 | import com.fortify.integration.sonarqube.common.rule.FortifyRulesDefinition; 33 | 34 | @Component 35 | public class FortifyCommonExtensionProvider implements IFortifyExtensionProvider { 36 | 37 | @Override 38 | public Class[] getExtensions(Context context) { 39 | return new Class[] { 40 | // Rules, language and quality profile 41 | FortifyRulesDefinition.class, 42 | FortifyLanguage.class, 43 | FortifyProfile.class 44 | }; 45 | } 46 | 47 | } 48 | -------------------------------------------------------------------------------- /dist/src/site/markdown/sonar-files.md: -------------------------------------------------------------------------------- 1 | # SonarQube files to be scanned 2 | By default, SonarQube only scans file types that are supported by the installed SonarQube language plugins. For example, 3 | if you have the SonarQube Java language plugin installed, SonarQube will scan files with the .java file extension. 4 | However, the Java language plugin for your SonarQube version may not support JSP files, so JSP files will by default not 5 | be scanned by SonarQube. 6 | 7 | Depending on the SonarQube version that you are running, the Fortify plugin exhibits different behaviours: 8 | 9 | * For SonarQube versions earlier than 7.6, any vulnerabilities for which no corresponding source file 10 | can be found in the SonarQube scan will be ignored. For example, if SonarQube is not configured to scan 11 | .xml or .jsp files, any Fortify vulnerabilities on .xml or .jsp files will not be reported in SonarQube. 12 | The same is true for any vulnerabilities for which no source file is available, like Dynamic Application 13 | Security Testing (DAST) results. 14 | * For SonarQube versions 7.6 and up, any vulnerabilities for which no corresponding source file can be 15 | found in the SonarQube scan will be reported as SonarQube project-level issues. This includes any vulnerabilities 16 | for which no source file is available, like DAST results. 17 | 18 | Multiple options exist for including additional file types in the SonarQube scan, such that Fortify vulnerabilities 19 | can be reported on the correct source files: 20 | 21 | * Install SonarQube language plugins that supports these file types 22 | * Configure additional file extensions to be included in the SonarQube scan through the Fortify plugin: 23 | * Navigate to Administration->General Settings->Fortify, and add additional file suffixes 24 | in the `Additional file suffixes` field 25 | * Or set the `sonar.fortify.filesuffixes` property, containing a comma-separated list of 26 | file extensions, when running the SonarQube scan 27 | * Instruct SonarQube to include unknown file types during the scan: 28 | * Navigate to Administration->General Settings->Analysis Scope->Files, and enable the 29 | `Import unknown files` option 30 | * Or set the `sonar.import_unknown_files` property to true when running the SonarQube scan 31 | -------------------------------------------------------------------------------- /plugin/src/main/java/com/fortify/integration/sonarqube/sq76/source/fod/scanner/FortifyFoDSQ76ScannerSideConnectionHelper.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates, a Micro Focus company 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.integration.sonarqube.sq76.source.fod.scanner; 26 | 27 | import org.sonar.api.config.Configuration; 28 | import org.sonar.api.scanner.ScannerSide; 29 | 30 | import com.fortify.integration.sonarqube.common.source.fod.scanner.AbstractFortifyFoDScannerSideConnectionHelper; 31 | 32 | /** 33 | * This {@link AbstractFortifyFoDScannerSideConnectionHelper} implementation just adds the 34 | * 7.6-specific {@link ScannerSide} annotation. 35 | * 36 | * @author Ruud Senden 37 | * 38 | */ 39 | @ScannerSide 40 | public class FortifyFoDSQ76ScannerSideConnectionHelper extends AbstractFortifyFoDScannerSideConnectionHelper { 41 | public FortifyFoDSQ76ScannerSideConnectionHelper(Configuration config) { 42 | super(config); 43 | } 44 | } 45 | -------------------------------------------------------------------------------- /plugin/src/main/java/com/fortify/integration/sonarqube/sq76/source/ssc/scanner/FortifySSCSQ76ScannerSideConnectionHelper.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates, a Micro Focus company 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.integration.sonarqube.sq76.source.ssc.scanner; 26 | 27 | import org.sonar.api.config.Configuration; 28 | import org.sonar.api.scanner.ScannerSide; 29 | 30 | import com.fortify.integration.sonarqube.common.source.ssc.scanner.AbstractFortifySSCScannerSideConnectionHelper; 31 | 32 | /** 33 | * This {@link AbstractFortifySSCScannerSideConnectionHelper} implementation just adds the 34 | * 7.6-specific {@link ScannerSide} annotation. 35 | * 36 | * @author Ruud Senden 37 | * 38 | */ 39 | @ScannerSide 40 | public class FortifySSCSQ76ScannerSideConnectionHelper extends AbstractFortifySSCScannerSideConnectionHelper { 41 | public FortifySSCSQ76ScannerSideConnectionHelper(Configuration config) { 42 | super(config); 43 | } 44 | } 45 | -------------------------------------------------------------------------------- /plugin/src/main/java/com/fortify/integration/sonarqube/sq76/package-info.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates, a Micro Focus company 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | 26 | /** 27 | *

This package contains SonarQube plugin code specific to SonarQube 7.6 28 | * and up. For earlier versions, the plugin code is provided 29 | * in the {@link com.fortify.integration.sonarqube.sq76.source.ssc} package.

30 | * 31 | *

Most of the classes provided in this package simply extend from a common 32 | * implementation provided in the {@link com.fortify.integration.sonarqube.common.source.ssc} 33 | * package, and add the SonarQube 7.6-specific {@link org.sonar.api.scanner.ScannerSide} 34 | * annotation. The notable exception are sensor implementations, which require a 35 | * more complete 7.6-specific implementations due to some major API changes between 36 | * SonarQube 6.7 and 7.6.

37 | * 38 | */ 39 | 40 | package com.fortify.integration.sonarqube.sq76; -------------------------------------------------------------------------------- /dist/src/site/markdown/ssc-usage.md: -------------------------------------------------------------------------------- 1 | # Usage (SSC) 2 | Contrary to most other SonarQube plug-ins, the Fortify plug-in for SonarQube doesn't actually scan any source 3 | code. Instead, vulnerability data is loaded from Fortify SSC. As such, you will need to separately run a 4 | Fortify SCA scan and upload the scan results to Fortify SSC. 5 | 6 | So in general the steps to run a SonarQube scan with the Fortify plug-in are as follows: 7 | 8 | * Run SCA translation 9 | * Run SCA scan 10 | * Invoke SonarQube scan with the Fortify plug-in 11 | 12 | As an example of a Maven-based SCA and SonarQube scan: 13 | 14 | * Navigate to [SCA Install]\plugins\maven 15 | * Unzip either the binary or source Maven plugin, and build/deploy the plugin to your local Maven repository 16 | * Navigate to the samples\EightBall directory inside the Maven plugin directory 17 | * Run a Maven-based scan for the EightBall example (see README.txt) 18 | * Create application EightBall and version 1.0 in SSC 19 | * Run the following command to perform SonarQube analysis, upload the FPR file to SSC, wait for SSC to process 20 | the artifact, and then import vulnerabilities and metrics from SSC: 21 | * `mvn -Dsonar.fortify.ssc.url=http[s]://[credentials]@[host][:port]/ssc -Dsonar.fortify.ssc.appversion=EightBall:1.0 -Dsonar.fortify.ssc.uploadFPR=target\fortify\EightBall-1.0.fpr -Dsonar.fortify.ssc.failOnArtifactStates=SCHED_PROCESSING,PROCESSING,REQUIRE_AUTH,ERROR_PROCESSING -Dsonar.fortify.ssc.processing.timeout=120 sonar:sonar` 22 | * [credentials] can be either 'authToken:[authtoken]' or '[username]:[password]' 23 | * Apart from regular SonarQube processing, this will invoke the Fortify SonarQube plug-in to retrieve vulnerability data and metrics from Fortify SSC. 24 | * The plug-in will start with uploading the FPR file to SSC (`-Dsonar.fortify.ssc.uploadFPR=target\fortify\EightBall-1.0.fpr`) 25 | * The plug-in will wait for at most 120 seconds (`-Dsonar.fortify.ssc.processing.timeout` setting) for SSC to process the uploaded SCA scan results. 26 | * If the uploaded scan results have not been processed within that time-frame, if the upload requires approval, or if there was an error processing the uploaded artifact, the scan will fail (`-Dsonar.fortify.ssc.failOnArtifactStates` setting). 27 | * For a full list of available settings, the SonarQube settings pages. 28 | -------------------------------------------------------------------------------- /plugin/src/main/java/com/fortify/integration/sonarqube/sq67/package-info.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates, a Micro Focus company 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | 26 | /** 27 | *

This package contains SonarQube plugin code specific to SonarQube 6.7 28 | * up to SonarQube 7.5.x. For later versions, the plugin code is provided 29 | * in the {@link com.fortify.integration.sonarqube.sq76.source.ssc} package.

30 | * 31 | *

Most of the classes provided in this package simply extend from a common 32 | * implementation provided in the {@link com.fortify.integration.sonarqube.common.source.ssc} 33 | * package, and add the SonarQube 6.7-specific {@link org.sonar.api.batch.ScannerSide} 34 | * and {@link org.sonar.api.batch.InstantiationStrategy} annotations. The notable 35 | * exception are sensor implementations, which require a more complete 6.7-specific 36 | * implementation due to some major API changes between SonarQube 6.7 and 7.6.

37 | * 38 | */ 39 | 40 | package com.fortify.integration.sonarqube.sq67; -------------------------------------------------------------------------------- /common/src/main/java/com/fortify/integration/sonarqube/common/fod/FoDMetricsExpressionField.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.integration.sonarqube.common.fod; 26 | 27 | import java.util.Map; 28 | 29 | import com.fortify.integration.sonarqube.common.IMetricsExpressionField; 30 | import com.fortify.integration.sonarqube.common.MetricsExpressionFieldsHTMLDescriptionHelper; 31 | 32 | public enum FoDMetricsExpressionField implements IMetricsExpressionField { 33 | ; 34 | 35 | private final String description; 36 | 37 | FoDMetricsExpressionField(String description) { 38 | this.description = description; 39 | } 40 | 41 | public String description() { 42 | return description; 43 | } 44 | 45 | public static final String getMetricsExpressionFieldsHTMLDescription() { 46 | final Map examples = null; 47 | return MetricsExpressionFieldsHTMLDescriptionHelper 48 | .getMetricsExpressionFieldsHTMLDescription("/api/v3/releases", FoDMetricsExpressionField.values(), examples); 49 | } 50 | } -------------------------------------------------------------------------------- /plugin/src/main/java/com/fortify/integration/sonarqube/sq76/source/ssc/scanner/FortifySSCSQ76UploadFPRStartable.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates, a Micro Focus company 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.integration.sonarqube.sq76.source.ssc.scanner; 26 | 27 | import org.sonar.api.config.Configuration; 28 | import org.sonar.api.scanner.ScannerSide; 29 | 30 | import com.fortify.integration.sonarqube.common.source.ssc.scanner.AbstractFortifySSCUploadFPRStartable; 31 | import com.fortify.integration.sonarqube.common.source.ssc.scanner.IFortifySSCScannerSideConnectionHelper; 32 | 33 | /** 34 | * This {@link AbstractFortifySSCUploadFPRStartable} implementation just adds the 35 | * 7.6-specific {@link ScannerSide} annotation. 36 | * 37 | * @author Ruud Senden 38 | * 39 | */ 40 | @ScannerSide 41 | public class FortifySSCSQ76UploadFPRStartable extends AbstractFortifySSCUploadFPRStartable { 42 | public FortifySSCSQ76UploadFPRStartable(Configuration config, IFortifySSCScannerSideConnectionHelper connHelper) { 43 | super(config, connHelper); 44 | } 45 | } 46 | -------------------------------------------------------------------------------- /plugin/src/main/java/com/fortify/integration/sonarqube/sq67/source/fod/scanner/FortifyFoDSQ67ScannerSideConnectionHelper.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates, a Micro Focus company 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.integration.sonarqube.sq67.source.fod.scanner; 26 | 27 | import org.sonar.api.batch.InstantiationStrategy; 28 | import org.sonar.api.batch.ScannerSide; 29 | import org.sonar.api.config.Configuration; 30 | 31 | import com.fortify.integration.sonarqube.common.source.fod.scanner.AbstractFortifyFoDScannerSideConnectionHelper; 32 | 33 | /** 34 | * This {@link AbstractFortifyFoDScannerSideConnectionHelper} implementation just adds the 35 | * 6.7-specific {@link ScannerSide} and {@link InstantiationStrategy} annotations. 36 | * 37 | * @author Ruud Senden 38 | * 39 | */ 40 | @ScannerSide 41 | @InstantiationStrategy(InstantiationStrategy.PER_BATCH) 42 | public class FortifyFoDSQ67ScannerSideConnectionHelper extends AbstractFortifyFoDScannerSideConnectionHelper { 43 | public FortifyFoDSQ67ScannerSideConnectionHelper(Configuration config) { 44 | super(config); 45 | } 46 | } 47 | -------------------------------------------------------------------------------- /plugin/src/main/java/com/fortify/integration/sonarqube/sq67/source/ssc/scanner/FortifySSCSQ67ScannerSideConnectionHelper.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates, a Micro Focus company 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.integration.sonarqube.sq67.source.ssc.scanner; 26 | 27 | import org.sonar.api.batch.InstantiationStrategy; 28 | import org.sonar.api.batch.ScannerSide; 29 | import org.sonar.api.config.Configuration; 30 | 31 | import com.fortify.integration.sonarqube.common.source.ssc.scanner.AbstractFortifySSCScannerSideConnectionHelper; 32 | 33 | /** 34 | * This {@link AbstractFortifySSCScannerSideConnectionHelper} implementation just adds the 35 | * 6.7-specific {@link ScannerSide} and {@link InstantiationStrategy} annotations. 36 | * 37 | * @author Ruud Senden 38 | * 39 | */ 40 | @ScannerSide 41 | @InstantiationStrategy(InstantiationStrategy.PER_BATCH) 42 | public class FortifySSCSQ67ScannerSideConnectionHelper extends AbstractFortifySSCScannerSideConnectionHelper { 43 | public FortifySSCSQ67ScannerSideConnectionHelper(Configuration config) { 44 | super(config); 45 | } 46 | } 47 | -------------------------------------------------------------------------------- /dist/src/site/site.xml: -------------------------------------------------------------------------------- 1 | 2 | 26 | 27 | 28 | Fortify SonarQube Plugin 29 | https://github.com/fortify-ps/fortify-integration-sonarqube 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | -------------------------------------------------------------------------------- /plugin/src/main/java/com/fortify/integration/sonarqube/common/source/fod/FortifyCommonFoDExtensionProvider.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.integration.sonarqube.common.source.fod; 26 | 27 | import org.sonar.api.Plugin.Context; 28 | import org.springframework.stereotype.Component; 29 | 30 | import com.fortify.integration.sonarqube.common.IFortifyExtensionProvider; 31 | import com.fortify.integration.sonarqube.common.source.fod.ce.FortifyFoDConfigurableMeasureComputer; 32 | import com.fortify.integration.sonarqube.common.source.fod.metrics.FortifyFoDConfigurableMetrics; 33 | import com.fortify.integration.sonarqube.common.source.fod.metrics.FortifyFoDConnectionPropertiesMetrics; 34 | 35 | @Component 36 | public class FortifyCommonFoDExtensionProvider implements IFortifyExtensionProvider { 37 | 38 | @Override 39 | public Class[] getExtensions(Context context) { 40 | return new Class[] { 41 | FortifyFoDConfigurableMeasureComputer.class, 42 | FortifyFoDConfigurableMetrics.class, 43 | FortifyFoDConnectionPropertiesMetrics.class 44 | }; 45 | } 46 | 47 | } 48 | -------------------------------------------------------------------------------- /plugin/src/main/java/com/fortify/integration/sonarqube/common/source/ssc/FortifyCommonSSCExtensionProvider.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.integration.sonarqube.common.source.ssc; 26 | 27 | import org.sonar.api.Plugin.Context; 28 | import org.springframework.stereotype.Component; 29 | 30 | import com.fortify.integration.sonarqube.common.IFortifyExtensionProvider; 31 | import com.fortify.integration.sonarqube.common.source.ssc.ce.FortifySSCConfigurableMeasureComputer; 32 | import com.fortify.integration.sonarqube.common.source.ssc.metrics.FortifySSCConfigurableMetrics; 33 | import com.fortify.integration.sonarqube.common.source.ssc.metrics.FortifySSCConnectionPropertiesMetrics; 34 | 35 | @Component 36 | public class FortifyCommonSSCExtensionProvider implements IFortifyExtensionProvider { 37 | 38 | @Override 39 | public Class[] getExtensions(Context context) { 40 | return new Class[] { 41 | FortifySSCConfigurableMeasureComputer.class, 42 | FortifySSCConfigurableMetrics.class, 43 | FortifySSCConnectionPropertiesMetrics.class 44 | }; 45 | } 46 | 47 | } 48 | -------------------------------------------------------------------------------- /plugin/src/main/java/com/fortify/integration/sonarqube/sq67/source/fod/FortifyFoDSQ67ExtensionProvider.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.integration.sonarqube.sq67.source.fod; 26 | 27 | import org.sonar.api.Plugin.Context; 28 | import org.springframework.stereotype.Component; 29 | 30 | import com.fortify.integration.sonarqube.common.IFortifyExtensionProvider; 31 | import com.fortify.integration.sonarqube.sq67.source.fod.scanner.FortifyFoDSQ67ConnectionPropertiesMetricsSensor; 32 | import com.fortify.integration.sonarqube.sq67.source.fod.scanner.FortifyFoDSQ67IssueSensor; 33 | import com.fortify.integration.sonarqube.sq67.source.fod.scanner.FortifyFoDSQ67ScannerSideConnectionHelper; 34 | 35 | @Component 36 | public class FortifyFoDSQ67ExtensionProvider implements IFortifyExtensionProvider { 37 | 38 | @Override 39 | public Class[] getExtensions(Context context) { 40 | return new Class[] { 41 | FortifyFoDSQ67ScannerSideConnectionHelper.class, 42 | FortifyFoDSQ67ConnectionPropertiesMetricsSensor.class, 43 | FortifyFoDSQ67IssueSensor.class 44 | }; 45 | } 46 | 47 | } 48 | -------------------------------------------------------------------------------- /plugin/src/main/java/com/fortify/integration/sonarqube/sq76/source/fod/FortifyFoDSQ76ExtensionProvider.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.integration.sonarqube.sq76.source.fod; 26 | 27 | import org.sonar.api.Plugin.Context; 28 | import org.springframework.stereotype.Component; 29 | 30 | import com.fortify.integration.sonarqube.common.IFortifyExtensionProvider; 31 | import com.fortify.integration.sonarqube.sq76.source.fod.scanner.FortifyFoDSQ76ConnectionPropertiesMetricsSensor; 32 | import com.fortify.integration.sonarqube.sq76.source.fod.scanner.FortifyFoDSQ76IssueSensor; 33 | import com.fortify.integration.sonarqube.sq76.source.fod.scanner.FortifyFoDSQ76ScannerSideConnectionHelper; 34 | 35 | @Component 36 | public class FortifyFoDSQ76ExtensionProvider implements IFortifyExtensionProvider { 37 | 38 | @Override 39 | public Class[] getExtensions(Context context) { 40 | return new Class[] { 41 | FortifyFoDSQ76ScannerSideConnectionHelper.class, 42 | FortifyFoDSQ76ConnectionPropertiesMetricsSensor.class, 43 | FortifyFoDSQ76IssueSensor.class 44 | }; 45 | } 46 | 47 | } 48 | -------------------------------------------------------------------------------- /TODO.txt: -------------------------------------------------------------------------------- 1 | 2 | 3 | Update README.md 4 | 5 | Plugin general: 6 | - Configurable mapping between friority and SonarQube severity 7 | - Configurable support for using folder instead of friority to determine SonarQube severity 8 | - Web pages 9 | - Show information similar to previous widget 10 | - Clean-up/remove FortifyConstants 11 | - Add/improve error handling 12 | - Check whether hidden metrics to pass SSC/FoD URL/credentials are somehow visible (for example through API) 13 | 14 | 15 | Plugin on SQ 6.7: 16 | - Remove scanner warnings: [WARNING] Storing measures on folders or modules is deprecated. Provided value of metric ... is ignored 17 | - Apparently measures cannot be saved on modules with packaging type pom 18 | - Add FoD implementation 19 | 20 | Plugin on SQ 7.6: 21 | - Map Fortify issues to SonarQube-provided OWASP Top 10/SANS Top 25 Security Reports 22 | - Add FortifyIssueRuleKeyRetrieverAdHoc that generates SonarQube ad-hoc rules for Fortify categories 23 | - First check whetehr ad hoc rules are supported for regular issues 24 | - If enabled (through configuration utility, as alternative for single Fortify rule/external lists): 25 | - Don't generate any Fortify-related rules/repositories/profiles 26 | - Add additional issue query fields to retrieve rule description 27 | - Generate (and cache) ad-hoc rule based on rule description in issue data 28 | 29 | 30 | Metrics: 31 | - Add support and default metrics for folder counts 32 | - Add support for default value if no value available from SSC? 33 | - Fortify security rating -> SonarQube rating (RATING metric type) in metrics-*.yml 34 | 35 | Configuration utility: 36 | - Hide MetricDetailsPanel if no item selected in listMetrics 37 | - Add validation (duplicate metric keys, test metric expressions by loading application version from SSC) 38 | - Add help information/tooltips for various input fields 39 | - Remove hardcoded SSC URL (replace with generic sample URL) & credentials 40 | - Add support for configuring default values for plugin PropertyDefinitions? 41 | - How to keep property definitions in sync between plugin and configuration tool? 42 | - Hot to avoid code duplication? 43 | 44 | Build: 45 | - Remove unnecessary elements in pom.xml files if already defined in parent 46 | - Fix warnings 47 | 48 | Tests: 49 | - Sonar Scanner/Maven scanner 50 | - No exceptions if SSC/FoD connection details have not been configured 51 | - Combinations of FoD/SSC, Single/externallist-based rules, different SonarQube versions , single/multi-module projects 52 | -------------------------------------------------------------------------------- /plugin/src/main/java/com/fortify/integration/sonarqube/sq67/source/ssc/scanner/FortifySSCSQ67UploadFPRStartable.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates, a Micro Focus company 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.integration.sonarqube.sq67.source.ssc.scanner; 26 | 27 | import org.sonar.api.batch.InstantiationStrategy; 28 | import org.sonar.api.batch.ScannerSide; 29 | import org.sonar.api.config.Configuration; 30 | 31 | import com.fortify.integration.sonarqube.common.source.ssc.scanner.AbstractFortifySSCUploadFPRStartable; 32 | import com.fortify.integration.sonarqube.common.source.ssc.scanner.IFortifySSCScannerSideConnectionHelper; 33 | 34 | /** 35 | * This {@link AbstractFortifySSCUploadFPRStartable} implementation just adds the 36 | * 6.7-specific {@link ScannerSide} and {@link InstantiationStrategy} annotations. 37 | * 38 | * @author Ruud Senden 39 | * 40 | */ 41 | @ScannerSide 42 | @InstantiationStrategy(InstantiationStrategy.PER_BATCH) 43 | public class FortifySSCSQ67UploadFPRStartable extends AbstractFortifySSCUploadFPRStartable { 44 | public FortifySSCSQ67UploadFPRStartable(Configuration config, IFortifySSCScannerSideConnectionHelper connHelper) { 45 | super(config, connHelper); 46 | } 47 | } 48 | -------------------------------------------------------------------------------- /plugin/src/main/java/com/fortify/integration/sonarqube/common/source/fod/IFortifyFoDConnectionHelper.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.integration.sonarqube.common.source.fod; 26 | 27 | import com.fortify.client.fod.connection.FoDAuthenticatingRestConnection; 28 | import com.fortify.integration.sonarqube.common.IFortifyConnectionHelper; 29 | 30 | /** 31 | * This interface provides access to the SSC URL (including credentials), the 32 | * corresponding {@link SSCAuthenticatingRestConnection} instance, and the 33 | * SSC application version id. It also provides a utility method for checking 34 | * whether SSC connection and application version id are available. 35 | * 36 | * @author Ruud Senden 37 | * 38 | */ 39 | public interface IFortifyFoDConnectionHelper extends IFortifyConnectionHelper { 40 | 41 | /** 42 | * @return FoD release id, or null if not available/configured 43 | */ 44 | public String getReleaseId(); 45 | 46 | /** 47 | * @return FoD URL (including credentials), or null if not available/configured 48 | */ 49 | public String getFoDUrl(); 50 | 51 | public String getFoDTenant(); 52 | 53 | public String getFoDUser(); 54 | 55 | public String getFoDPassword(); 56 | 57 | } -------------------------------------------------------------------------------- /plugin/src/main/java/com/fortify/integration/sonarqube/sq67/source/ssc/FortifySSCSQ67ExtensionProvider.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.integration.sonarqube.sq67.source.ssc; 26 | 27 | import org.sonar.api.Plugin.Context; 28 | import org.springframework.stereotype.Component; 29 | 30 | import com.fortify.integration.sonarqube.common.IFortifyExtensionProvider; 31 | import com.fortify.integration.sonarqube.sq67.source.ssc.scanner.FortifySSCSQ67ConnectionPropertiesMetricsSensor; 32 | import com.fortify.integration.sonarqube.sq67.source.ssc.scanner.FortifySSCSQ67IssueSensor; 33 | import com.fortify.integration.sonarqube.sq67.source.ssc.scanner.FortifySSCSQ67ScannerSideConnectionHelper; 34 | import com.fortify.integration.sonarqube.sq67.source.ssc.scanner.FortifySSCSQ67UploadFPRStartable; 35 | 36 | @Component 37 | public class FortifySSCSQ67ExtensionProvider implements IFortifyExtensionProvider { 38 | 39 | @Override 40 | public Class[] getExtensions(Context context) { 41 | return new Class[] { 42 | FortifySSCSQ67ScannerSideConnectionHelper.class, 43 | FortifySSCSQ67UploadFPRStartable.class, 44 | FortifySSCSQ67ConnectionPropertiesMetricsSensor.class, 45 | FortifySSCSQ67IssueSensor.class 46 | }; 47 | } 48 | 49 | } 50 | -------------------------------------------------------------------------------- /plugin/src/main/java/com/fortify/integration/sonarqube/sq76/source/ssc/FortifySSCSQ76ExtensionProvider.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.integration.sonarqube.sq76.source.ssc; 26 | 27 | import org.sonar.api.Plugin.Context; 28 | import org.springframework.stereotype.Component; 29 | 30 | import com.fortify.integration.sonarqube.common.IFortifyExtensionProvider; 31 | import com.fortify.integration.sonarqube.sq76.source.ssc.scanner.FortifySSCSQ76ConnectionPropertiesMetricsSensor; 32 | import com.fortify.integration.sonarqube.sq76.source.ssc.scanner.FortifySSCSQ76IssueSensor; 33 | import com.fortify.integration.sonarqube.sq76.source.ssc.scanner.FortifySSCSQ76ScannerSideConnectionHelper; 34 | import com.fortify.integration.sonarqube.sq76.source.ssc.scanner.FortifySSCSQ76UploadFPRStartable; 35 | 36 | @Component 37 | public class FortifySSCSQ76ExtensionProvider implements IFortifyExtensionProvider { 38 | 39 | @Override 40 | public Class[] getExtensions(Context context) { 41 | return new Class[] { 42 | FortifySSCSQ76ScannerSideConnectionHelper.class, 43 | FortifySSCSQ76UploadFPRStartable.class, 44 | FortifySSCSQ76ConnectionPropertiesMetricsSensor.class, 45 | FortifySSCSQ76IssueSensor.class 46 | }; 47 | } 48 | 49 | } 50 | -------------------------------------------------------------------------------- /common/src/main/java/com/fortify/integration/sonarqube/common/config/AbstractPropertyChangeSupport.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.integration.sonarqube.common.config; 26 | 27 | import java.beans.PropertyChangeListener; 28 | import java.beans.PropertyChangeSupport; 29 | 30 | public class AbstractPropertyChangeSupport { 31 | protected final PropertyChangeSupport propertyChangeSupport; 32 | 33 | public void addPropertyChangeListener(PropertyChangeListener listener) { 34 | propertyChangeSupport.addPropertyChangeListener(listener); 35 | } 36 | 37 | public void removePropertyChangeListener(PropertyChangeListener listener) { 38 | propertyChangeSupport.removePropertyChangeListener(listener); 39 | } 40 | 41 | public void addPropertyChangeListener(String propertyName, PropertyChangeListener listener) { 42 | propertyChangeSupport.addPropertyChangeListener(propertyName, listener); 43 | } 44 | 45 | public void removePropertyChangeListener(String propertyName, PropertyChangeListener listener) { 46 | propertyChangeSupport.removePropertyChangeListener(propertyName, listener); 47 | } 48 | 49 | public AbstractPropertyChangeSupport() { 50 | this.propertyChangeSupport = new PropertyChangeSupport(this); 51 | } 52 | 53 | 54 | } 55 | -------------------------------------------------------------------------------- /plugin/src/main/java/com/fortify/integration/sonarqube/common/source/ssc/IFortifySSCConnectionHelper.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.integration.sonarqube.common.source.ssc; 26 | 27 | import com.fortify.client.ssc.connection.SSCAuthenticatingRestConnection; 28 | import com.fortify.integration.sonarqube.common.IFortifyConnectionHelper; 29 | 30 | /** 31 | * This interface provides access to the SSC URL (including credentials), the 32 | * corresponding {@link SSCAuthenticatingRestConnection} instance, and the 33 | * SSC application version id. It also provides a utility method for checking 34 | * whether SSC connection and application version id are available. 35 | * 36 | * @author Ruud Senden 37 | * 38 | */ 39 | public interface IFortifySSCConnectionHelper extends IFortifyConnectionHelper { 40 | /** 41 | * @return SSC filter set GUID, or null if not available/configured 42 | */ 43 | public String getFilterSetGuid(); 44 | 45 | /** 46 | * @return SSC application version id, or null if not available/configured 47 | */ 48 | public String getApplicationVersionId(); 49 | 50 | /** 51 | * @return SSC URL (including credentials), or null if not available/configured 52 | */ 53 | public String getSSCUrl(); 54 | 55 | } -------------------------------------------------------------------------------- /plugin/src/main/java/com/fortify/integration/sonarqube/sq67/source/ssc/ui/FortifySSCWidget.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates, a Micro Focus company 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.integration.sonarqube.sq67.source.ssc.ui; 26 | 27 | import org.sonar.api.web.AbstractRubyTemplate; 28 | import org.sonar.api.web.Description; 29 | import org.sonar.api.web.RubyRailsWidget; 30 | import org.sonar.api.web.UserRole; 31 | import org.sonar.api.web.WidgetCategory; 32 | 33 | /** 34 | * TODO Widgets are no longer supported; this class is currently not used. 35 | * The Fortify widget functionality should be reviewed to see what 36 | * functionality is still relevant for either SonarQube 6.7, 7.6 or both, 37 | * and rewritten as custom plugin pages. 38 | */ 39 | @UserRole(UserRole.USER) 40 | @Description("Retrieves Security Metrics from Fortify SSC") 41 | @WidgetCategory("fortify-sonarqube") 42 | public class FortifySSCWidget extends AbstractRubyTemplate implements RubyRailsWidget { 43 | 44 | public String getId() { 45 | return "fortify_ssc_widget"; 46 | } 47 | 48 | public String getTitle() { 49 | return "Fortify SSC"; 50 | } 51 | 52 | @Override 53 | protected String getTemplatePath() { 54 | return "/FortifyWidget.html.erb"; 55 | } 56 | 57 | /* USEFUL METHODS FOR THE JRUBY SIDE */ 58 | 59 | public void test() { 60 | } 61 | 62 | } 63 | -------------------------------------------------------------------------------- /plugin/src/main/java/com/fortify/integration/sonarqube/common/source/fod/issue/FortifyFoDIssueQueryHelper.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.integration.sonarqube.common.source.fod.issue; 26 | 27 | import com.fortify.client.fod.api.FoDVulnerabilityAPI; 28 | import com.fortify.integration.sonarqube.common.issue.AbstractFortifySourceSystemIssueQueryHelper; 29 | import com.fortify.integration.sonarqube.common.source.fod.IFortifyFoDConnectionHelper; 30 | import com.fortify.util.rest.query.IRestConnectionQuery; 31 | 32 | public final class FortifyFoDIssueQueryHelper extends AbstractFortifySourceSystemIssueQueryHelper { 33 | public FortifyFoDIssueQueryHelper(IFortifyFoDConnectionHelper connHelper) { 34 | super(connHelper); 35 | } 36 | 37 | @Override 38 | public final IRestConnectionQuery getAllIssuesQuery() { 39 | return getConnHelper().getConnection().api(FoDVulnerabilityAPI.class) 40 | .queryVulnerabilities(getConnHelper().getReleaseId()) 41 | .paramFields(FortifyFoDIssueFieldsRetriever.ISSUE_FIELD_NAMES) 42 | .paramIncludeFixed(false) 43 | .paramIncludeSuppressed(false) 44 | .onDemandDetails(FortifyFoDIssueFieldsRetriever.ISSUE_FIELDS_ON_DEMAND.details.name()) 45 | .onDemandRecommendations(FortifyFoDIssueFieldsRetriever.ISSUE_FIELDS_ON_DEMAND.recommendations.name()) 46 | .build(); 47 | } 48 | } 49 | -------------------------------------------------------------------------------- /plugin/src/main/java/com/fortify/integration/sonarqube/common/source/ssc/issue/FortifySSCIssueQueryHelper.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.integration.sonarqube.common.source.ssc.issue; 26 | 27 | import com.fortify.client.ssc.api.SSCIssueAPI; 28 | import com.fortify.client.ssc.api.query.builder.SSCApplicationVersionIssuesQueryBuilder.QueryMode; 29 | import com.fortify.integration.sonarqube.common.issue.AbstractFortifySourceSystemIssueQueryHelper; 30 | import com.fortify.integration.sonarqube.common.source.ssc.IFortifySSCConnectionHelper; 31 | import com.fortify.util.rest.query.IRestConnectionQuery; 32 | 33 | public final class FortifySSCIssueQueryHelper extends AbstractFortifySourceSystemIssueQueryHelper { 34 | public static final String[] ISSUE_FIELD_NAMES = FortifySSCIssueFieldsRetriever.ISSUE_FIELD_NAMES; 35 | 36 | public FortifySSCIssueQueryHelper(IFortifySSCConnectionHelper connHelper) { 37 | super(connHelper); 38 | } 39 | 40 | @Override 41 | public final IRestConnectionQuery getAllIssuesQuery() { 42 | IFortifySSCConnectionHelper connHelper = getConnHelper(); 43 | return connHelper.getConnection().api(SSCIssueAPI.class).queryIssues(connHelper.getApplicationVersionId()) 44 | .paramFilterSet(connHelper.getFilterSetGuid()) 45 | .paramFields(ISSUE_FIELD_NAMES) 46 | .paramShowHidden(false) 47 | .paramShowRemoved(false) 48 | .paramShowSuppressed(false) 49 | .paramQm(QueryMode.issues) 50 | .onDemandDetails() 51 | .build(); 52 | } 53 | } 54 | -------------------------------------------------------------------------------- /dist/src/site/markdown/ssc-prep.md: -------------------------------------------------------------------------------- 1 | # Preparing for use with Fortify SSC 2 | The plugin loads all Fortify-related data from Fortify SSC. In order to allow the plug-in to access SSC, you will need to provide 3 | the SSC URL and credentials in the SonarQube configuration or as plugin properties when running a SonarQube scan. To authenticate 4 | with SSC, you can either provide SSC user name and password credentials, or an SSC authentication token. 5 | 6 | The user used to connect to SSC must be assigned to the application versions that you want to use the SonarQube plugin with, or 7 | alternatively the user needs to have a role with the 'Universal Access' permission. In addition, the user must have a role with 8 | (at least) the following permissions: 9 | 10 | * View application versions 11 | * Upload analysis results 12 | * View jobs in queue 13 | 14 | For token-based authentication, you will need to define a SonarQube specific token in the SSC configuration, and then generate 15 | an authentication token for use by the plugin. 16 | 17 | * Add the following token definition to [SSC deployment directory]\WEB-INF\internal\serviceContext.xml. 18 | Note: This has not been updated yet for the new plugin version; you will either need to figure out 19 | the correct token definition yourself, or for now use username/password authentication. 20 | 21 | ```xml 22 | 23 | 24 | 25 | 26 | 27 | GET=/api/v\d+/artifacts/\d+ 28 | GET=/api/v\d+/jobs 29 | GET=/api/v\d+/projectVersions 30 | GET=/api/v\d+/projectVersions/\d+/artifacts 31 | GET=/api/v\d+/projectVersions/\d+/filterSets 32 | GET=/api/v\d+/projectVersions/\d+/issues 33 | GET=/api/v\d+/projectVersions/\d+/performanceIndicatorHistories 34 | GET=/api/v\d+/projectVersions/\d+/variableHistories 35 | PUT=/api/v\d+/projectVersions/\d+/issueSearchOptions 36 | POST=/api/v\d+/fileTokens 37 | POST=/upload/resultFileUpload.html 38 | 39 | 40 | 41 | 42 | InvalidateTokenRequest 43 | DELETE=/api/v\d+/auth/token 44 | 45 | 46 | 47 | ``` 48 | * Restart the SSC application server 49 | * Generate a new SSC authentication token for use by the Fortify SonarQube plug-in: 50 | * `fortifyclient token -gettoken SonarQubeToken -user [user] -url [SSC URL]` 51 | * Enter the user password, and save the returned token for use in subsequent commands 52 | -------------------------------------------------------------------------------- /plugin/src/main/java/com/fortify/integration/sonarqube/common/profile/FortifyProfile.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates, a Micro Focus company 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.integration.sonarqube.common.profile; 26 | 27 | import org.sonar.api.server.profile.BuiltInQualityProfilesDefinition; 28 | 29 | import com.fortify.integration.sonarqube.common.FortifyConstants; 30 | import com.fortify.integration.sonarqube.common.FortifyPlugin; 31 | import com.fortify.integration.sonarqube.common.language.FortifyLanguage; 32 | import com.fortify.integration.sonarqube.common.rule.FortifyRulesDefinition; 33 | 34 | /** 35 | *

This class defines a default quality profile for the generic Fortify language 36 | * (see {@link FortifyLanguage}) with all available rules activated by default.

37 | * 38 | *

This SonarQube extension is registered for all supported SonarQube 39 | * versions by {@link FortifyPlugin}.

40 | * 41 | * @author Ruud Senden 42 | * 43 | */ 44 | public class FortifyProfile implements BuiltInQualityProfilesDefinition { 45 | private final FortifyRulesDefinition rulesDefinition; 46 | 47 | public FortifyProfile(FortifyRulesDefinition rulesDefinition) { 48 | this.rulesDefinition = rulesDefinition; 49 | } 50 | 51 | @Override 52 | public void define(Context context) { 53 | NewBuiltInQualityProfile profile = context.createBuiltInQualityProfile("Default", FortifyConstants.FTFY_LANGUAGE_KEY); 54 | for ( String ruleKey : rulesDefinition.getRuleKeys() ) { 55 | profile.activateRule("fortify", ruleKey); 56 | } 57 | profile.done(); 58 | } 59 | 60 | } 61 | -------------------------------------------------------------------------------- /common/pom.xml: -------------------------------------------------------------------------------- 1 | 25 | 26 | 4.0.0 27 | 28 | com.fortify.integration.sonarqube 29 | fortify-sonarqube-plugin-root 30 | 2.7-SNAPSHOT 31 | 32 | fortify-sonarqube-plugin-common 33 | jar 34 | Micro Focus Fortify SonarQube Plugin - Common 35 | 36 | 37 | 38 | com.fasterxml.jackson.core 39 | jackson-core 40 | 41 | 42 | com.fasterxml.jackson.core 43 | jackson-databind 44 | 45 | 46 | com.fasterxml.jackson.core 47 | jackson-annotations 48 | 49 | 50 | com.fasterxml.jackson.dataformat 51 | jackson-dataformat-yaml 52 | 53 | 54 | org.codehaus.staxmate 55 | staxmate 56 | 57 | 58 | commons-lang 59 | commons-lang 60 | 61 | 62 | org.junit.jupiter 63 | junit-jupiter-api 64 | 5.4.2 65 | test 66 | 67 | 68 | 69 | -------------------------------------------------------------------------------- /dist/src/main/assembly/dist.xml: -------------------------------------------------------------------------------- 1 | 25 | 29 | dist 30 | / 31 | 32 | zip 33 | 34 | 35 | 36 | / 37 | ${project.build.directory} 38 | 39 | THIRD_PARTY_LICENSES.* 40 | THIRD_PARTY_LICENSES/* 41 | THIRD_PARTY_SOURCES/* 42 | 43 | 44 | 45 | / 46 | ${project.build.directory}/../.. 47 | 48 | README.md 49 | LICENSE.TXT 50 | 51 | 52 | 53 | documentation 54 | ${project.build.directory}/site 55 | 56 | 57 | / 58 | ${project.build.directory}/../../plugin/target 59 | 60 | fortify-sonarqube-plugin-${project.version}.jar 61 | 62 | 63 | 64 | / 65 | ${project.build.directory}/../../configure/target 66 | 67 | fortify-sonarqube-plugin-configure-${project.version}.jar 68 | 69 | 70 | 71 | 72 | -------------------------------------------------------------------------------- /plugin/src/main/java/com/fortify/integration/sonarqube/common/source/ssc/metrics/FortifySSCConnectionPropertiesMetrics.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.integration.sonarqube.common.source.ssc.metrics; 26 | 27 | import java.util.Arrays; 28 | import java.util.List; 29 | 30 | import org.sonar.api.measures.Metric; 31 | import org.sonar.api.measures.Metrics; 32 | 33 | @SuppressWarnings("rawtypes") 34 | public class FortifySSCConnectionPropertiesMetrics implements Metrics { 35 | public static final String PRP_SSC_URL = "fortify.ssc.url"; 36 | public static final String PRP_APP_VERSION_ID = "fortify.ssc.applicationVersionId"; 37 | public static final String PRP_FILTER_SET_GUID = "fortify.ssc.filterSetGuid"; 38 | 39 | public static final Metric METRIC_SSC_URL = new Metric.Builder(PRP_SSC_URL, "SSC URL", Metric.ValueType.STRING) 40 | .setDomain("Fortify SSC").setHidden(true).create(); 41 | public static final Metric METRIC_SSC_APP_VERSION_ID = new Metric.Builder(PRP_APP_VERSION_ID, "SSC Application Version Id", Metric.ValueType.STRING) 42 | .setDomain("Fortify SSC").setHidden(true).create(); 43 | public static final Metric METRIC_SSC_FILTER_SET_GUID = new Metric.Builder(PRP_FILTER_SET_GUID, "SSC Filter Set Guid", Metric.ValueType.STRING) 44 | .setDomain("Fortify SSC").setHidden(true).create(); 45 | 46 | public static final String[] METRICS_KEYS = {PRP_SSC_URL, PRP_APP_VERSION_ID, PRP_FILTER_SET_GUID}; 47 | private static final List METRICS = Arrays.asList(new Metric[] {METRIC_SSC_URL, METRIC_SSC_APP_VERSION_ID, METRIC_SSC_FILTER_SET_GUID}); 48 | 49 | @Override 50 | public List getMetrics() { 51 | return METRICS; 52 | } 53 | } 54 | -------------------------------------------------------------------------------- /plugin/src/main/java/com/fortify/integration/sonarqube/common/metrics/AbstractFortifyConfigurableMetrics.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.integration.sonarqube.common.metrics; 26 | 27 | import java.util.ArrayList; 28 | import java.util.List; 29 | 30 | import org.sonar.api.measures.Metric; 31 | import org.sonar.api.measures.Metrics; 32 | 33 | import com.fortify.integration.sonarqube.common.config.MetricsConfig; 34 | import com.fortify.integration.sonarqube.common.config.MetricsConfig.MetricConfig; 35 | 36 | /** 37 | * This {@link Metrics} implementation returns the {@link Metric} instances 38 | * corresponding to the {@link MetricsConfig} provided in the constructor. 39 | * 40 | * @author Ruud Senden 41 | * 42 | */ 43 | @SuppressWarnings("rawtypes") 44 | public abstract class AbstractFortifyConfigurableMetrics implements Metrics { 45 | private List metrics; 46 | 47 | protected AbstractFortifyConfigurableMetrics(MetricsConfig metricsConfig) { 48 | this.metrics = _getMetrics(metricsConfig); 49 | } 50 | 51 | protected static final List _getMetrics(MetricsConfig metricsConfig) { 52 | List result = new ArrayList<>(); 53 | for ( MetricConfig mc : metricsConfig.getMetrics() ) { 54 | Metric.ValueType type = Metric.ValueType.valueOf(mc.getType().name()); 55 | result.add(new Metric.Builder(mc.getKey(), mc.getName(), type) 56 | .setDescription(mc.getDescription()).setDirection(mc.getDirection().intValue()) 57 | .setQualitative(mc.isQualitative()).setDomain(mc.getDomain()).create()); 58 | } 59 | return result; 60 | } 61 | 62 | @Override 63 | public List getMetrics() { 64 | return metrics; 65 | } 66 | } -------------------------------------------------------------------------------- /common/src/main/java/com/fortify/integration/sonarqube/common/externalmetadata/ExternalCategory.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.integration.sonarqube.common.externalmetadata; 26 | 27 | import javax.xml.stream.XMLStreamException; 28 | 29 | import org.apache.commons.lang.StringUtils; 30 | import org.apache.commons.lang.builder.ReflectionToStringBuilder; 31 | import org.codehaus.staxmate.in.SMInputCursor; 32 | 33 | 34 | public class ExternalCategory { 35 | private ExternalList externalList; 36 | private String name; 37 | private String description; 38 | 39 | public ExternalCategory(ExternalList externalList) { 40 | this.externalList = externalList; 41 | } 42 | 43 | public String getId() { 44 | return "fortify."+externalList.getId()+"."+getName().hashCode(); 45 | } 46 | 47 | public String getName() { 48 | return name; 49 | } 50 | 51 | public void setName(String name) { 52 | this.name = name; 53 | } 54 | 55 | public String getDescription() { 56 | return description; 57 | } 58 | 59 | public void setDescription(String description) { 60 | this.description = description; 61 | } 62 | 63 | public static ExternalCategory parse(ExternalList externalList, SMInputCursor childCursor) throws XMLStreamException { 64 | ExternalCategory result = new ExternalCategory(externalList); 65 | while (childCursor.getNext() != null) { 66 | String nodeName = childCursor.getLocalName(); 67 | 68 | if ("Name".equals(nodeName)) { 69 | result.setName(StringUtils.trim(childCursor.collectDescendantText(false))); 70 | } else if ("Description".equals(nodeName)) { 71 | result.setDescription(StringUtils.trim(childCursor.collectDescendantText(false))); 72 | } 73 | } 74 | return result; 75 | } 76 | 77 | @Override 78 | public String toString() { 79 | return ReflectionToStringBuilder.toString(this); 80 | } 81 | 82 | } 83 | -------------------------------------------------------------------------------- /plugin/src/main/java/com/fortify/integration/sonarqube/sq67/source/ssc/scanner/FortifySSCSQ67ConnectionPropertiesMetricsSensor.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.integration.sonarqube.sq67.source.ssc.scanner; 26 | 27 | import org.sonar.api.batch.sensor.SensorContext; 28 | import org.sonar.api.batch.sensor.SensorDescriptor; 29 | 30 | import com.fortify.integration.sonarqube.common.source.ssc.metrics.FortifySSCConnectionPropertiesMetrics; 31 | import com.fortify.integration.sonarqube.common.source.ssc.scanner.IFortifySSCScannerSideConnectionHelper; 32 | import com.fortify.integration.sonarqube.sq67.scanner.FortifySQ67AbstractSensor; 33 | 34 | public final class FortifySSCSQ67ConnectionPropertiesMetricsSensor extends FortifySQ67AbstractSensor { 35 | public FortifySSCSQ67ConnectionPropertiesMetricsSensor(IFortifySSCScannerSideConnectionHelper connHelper) { 36 | super(connHelper); 37 | } 38 | 39 | @Override 40 | public void describe(SensorDescriptor descriptor) { 41 | descriptor.name("Set SSC connection properties for compute engine"); 42 | } 43 | 44 | @SuppressWarnings("unchecked") 45 | @Override 46 | public void _execute(SensorContext context) { 47 | // TODO Verify whether this hidden measure can be retrieved in any way by users 48 | // that should not be able to see the SSC connection credentials. If so, 49 | // probably best to have the configuration utility generate a Yaml file with 50 | // a random shared secret to encrypt the URL/credentials here, and decrypt 51 | // this in FortifySSCComputeEngineSideConnectionHelper. 52 | context.newMeasure().forMetric(FortifySSCConnectionPropertiesMetrics.METRIC_SSC_URL).on(context.module()).withValue(getConnHelper().getSSCUrl()).save(); 53 | context.newMeasure().forMetric(FortifySSCConnectionPropertiesMetrics.METRIC_SSC_APP_VERSION_ID).on(context.module()).withValue(getConnHelper().getApplicationVersionId()).save(); 54 | } 55 | } -------------------------------------------------------------------------------- /plugin/src/main/java/com/fortify/integration/sonarqube/sq67/issue/FortifySQ67IssueJSONMapProcessorFactory.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.integration.sonarqube.sq67.issue; 26 | 27 | import org.sonar.api.batch.sensor.SensorContext; 28 | 29 | import com.fortify.integration.sonarqube.common.issue.AbstractFortifyIssueJSONMapProcessorFactory; 30 | import com.fortify.integration.sonarqube.common.issue.IFortifyIssueInputFileRetriever; 31 | import com.fortify.integration.sonarqube.common.issue.FortifyIssuesProcessor.CacheHelper; 32 | import com.fortify.integration.sonarqube.common.issue.IFortifyIssueRuleKeysRetriever; 33 | import com.fortify.integration.sonarqube.common.issue.IFortifySourceSystemIssueFieldRetriever; 34 | import com.fortify.util.rest.json.processor.IJSONMapProcessor; 35 | 36 | public class FortifySQ67IssueJSONMapProcessorFactory extends AbstractFortifyIssueJSONMapProcessorFactory { 37 | public FortifySQ67IssueJSONMapProcessorFactory(IFortifySourceSystemIssueFieldRetriever issueFieldRetriever) { 38 | super(issueFieldRetriever); 39 | } 40 | 41 | @Override 42 | public IJSONMapProcessor getProcessor(SensorContext context, IFortifyIssueRuleKeysRetriever issueRuleKeysRetriever, IFortifyIssueInputFileRetriever issueInputFileRetriever, CacheHelper cacheHelper) { 43 | return new FortifySQ67IssueJSONMapProcessor(context, issueRuleKeysRetriever, getIssueFieldRetriever(), issueInputFileRetriever, cacheHelper); 44 | } 45 | 46 | private static final class FortifySQ67IssueJSONMapProcessor extends AbstractFortifyIssueJSONMapProcessor { 47 | public FortifySQ67IssueJSONMapProcessor(SensorContext context, IFortifyIssueRuleKeysRetriever issueRuleKeysRetriever, IFortifySourceSystemIssueFieldRetriever issueFieldRetriever, IFortifyIssueInputFileRetriever issueInputFileRetriever, CacheHelper cacheHelper) { 48 | super(context, issueRuleKeysRetriever, issueFieldRetriever, issueInputFileRetriever, cacheHelper); 49 | } 50 | } 51 | 52 | } 53 | -------------------------------------------------------------------------------- /plugin/src/main/java/com/fortify/integration/sonarqube/sq76/source/ssc/scanner/FortifySSCSQ76ConnectionPropertiesMetricsSensor.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.integration.sonarqube.sq76.source.ssc.scanner; 26 | 27 | import org.sonar.api.batch.sensor.SensorContext; 28 | import org.sonar.api.batch.sensor.SensorDescriptor; 29 | 30 | import com.fortify.integration.sonarqube.common.source.ssc.metrics.FortifySSCConnectionPropertiesMetrics; 31 | import com.fortify.integration.sonarqube.common.source.ssc.scanner.IFortifySSCScannerSideConnectionHelper; 32 | import com.fortify.integration.sonarqube.sq76.scanner.FortifySQ76AbstractProjectSensor; 33 | 34 | public final class FortifySSCSQ76ConnectionPropertiesMetricsSensor extends FortifySQ76AbstractProjectSensor { 35 | public FortifySSCSQ76ConnectionPropertiesMetricsSensor(IFortifySSCScannerSideConnectionHelper connHelper) { 36 | super(connHelper); 37 | } 38 | 39 | @Override 40 | public void describe(SensorDescriptor descriptor) { 41 | descriptor.name("Set SSC connection properties for compute engine"); 42 | } 43 | 44 | @SuppressWarnings("unchecked") 45 | @Override 46 | public void _execute(SensorContext context) { 47 | // TODO Verify whether this hidden measure can be retrieved in any way by users 48 | // that should not be able to see the SSC connection credentials. If so, 49 | // probably best to have the configuration utility generate a Yaml file with 50 | // a random shared secret to encrypt the URL/credentials here, and decrypt 51 | // this in FortifySSCComputeEngineSideConnectionHelper. 52 | context.newMeasure().forMetric(FortifySSCConnectionPropertiesMetrics.METRIC_SSC_URL).on(context.project()).withValue(getConnHelper().getSSCUrl()).save(); 53 | context.newMeasure().forMetric(FortifySSCConnectionPropertiesMetrics.METRIC_SSC_APP_VERSION_ID).on(context.project()).withValue(getConnHelper().getApplicationVersionId()).save(); 54 | } 55 | } -------------------------------------------------------------------------------- /common/src/main/java/com/fortify/integration/sonarqube/common/config/AbstractYmlRootConfig.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.integration.sonarqube.common.config; 26 | 27 | import java.io.File; 28 | import java.io.IOException; 29 | import java.net.MalformedURLException; 30 | import java.net.URL; 31 | import java.nio.file.Path; 32 | 33 | public class AbstractYmlRootConfig extends AbstractYmlConfig { 34 | public static final T load(String name, Class type) { 35 | URL url = AbstractYmlRootConfig.class.getClassLoader().getResource(name); 36 | if ( url == null ) { 37 | throw new RuntimeException("File "+name+" cannot be found on the class path"); 38 | } 39 | return load(url, type); 40 | } 41 | 42 | public static final T load(Path path, Class type) { 43 | try { 44 | return load(path.toUri().toURL(), type); 45 | } catch (MalformedURLException e) { 46 | throw new RuntimeException("Error loading Yaml file from "+path.toString(), e); 47 | } 48 | } 49 | 50 | public static final T load(URL url, Class type) { 51 | try { 52 | return MAPPER.readValue(url, type); 53 | } catch (IOException e) { 54 | throw new RuntimeException("Error loading Yaml file from "+url.toString(), e); 55 | } 56 | } 57 | 58 | public static final T create(Class type) { 59 | try { 60 | return type.newInstance(); 61 | } catch (InstantiationException | IllegalAccessException e) { 62 | throw new RuntimeException("Error creating new instance for "+type.getName()); 63 | } 64 | } 65 | 66 | public void save(Path outputPath) { 67 | save(outputPath.toFile()); 68 | } 69 | 70 | public void save(File outputFile) { 71 | try { 72 | MAPPER.writeValue(outputFile, this); 73 | } catch (IOException e) { 74 | throw new RuntimeException("Error saving Yaml file to "+outputFile.toString(), e); 75 | } 76 | } 77 | } 78 | -------------------------------------------------------------------------------- /plugin/src/main/java/com/fortify/integration/sonarqube/sq76/scanner/FortifySQ76AbstractProjectSensor.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.integration.sonarqube.sq76.scanner; 26 | 27 | import org.sonar.api.batch.sensor.SensorContext; 28 | import org.sonar.api.scanner.sensor.ProjectSensor; 29 | import org.sonar.api.utils.log.Logger; 30 | import org.sonar.api.utils.log.Loggers; 31 | 32 | import com.fortify.integration.sonarqube.common.IFortifyConnectionHelper; 33 | 34 | /** 35 | * This 7.6-specific abstract {@link ProjectSensor} base class provides functionality 36 | * for storing the scanner-side connection helper, and executing concrete sensor 37 | * implementations only if an FoD connection is available and the sensor is active. 38 | * Contrary to the 6.7-specific implementation, implementations extending from this 39 | * based class are executed only once per project, instead of being executed separately 40 | * for every module. 41 | * 42 | * @author Ruud Senden 43 | * 44 | */ 45 | public abstract class FortifySQ76AbstractProjectSensor> implements ProjectSensor { 46 | private static final Logger LOG = Loggers.get(FortifySQ76AbstractProjectSensor.class); 47 | private final CH connHelper; 48 | 49 | public FortifySQ76AbstractProjectSensor(CH connHelper) { 50 | this.connHelper = connHelper; 51 | } 52 | 53 | @Override 54 | public final void execute(SensorContext context) { 55 | if ( !connHelper.isConnectionAvailable() ) { 56 | LOG.info("Skipping sensor execution; FoD connection has not been configured"); 57 | } else if ( !isActive(context) ) { 58 | LOG.info("Skipping sensor execution; sensor is not active"); 59 | } else { 60 | _execute(context); 61 | } 62 | } 63 | 64 | protected abstract void _execute(SensorContext context); 65 | 66 | protected boolean isActive(SensorContext context) { 67 | return true; 68 | } 69 | 70 | public final CH getConnHelper() { 71 | return connHelper; 72 | } 73 | } 74 | -------------------------------------------------------------------------------- /plugin/src/main/java/com/fortify/integration/sonarqube/common/FortifyConstants.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates, a Micro Focus company 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.integration.sonarqube.common; 26 | 27 | import java.util.Collections; 28 | import java.util.HashMap; 29 | import java.util.Map; 30 | 31 | import org.sonar.api.batch.rule.Severity; 32 | 33 | import com.fortify.integration.sonarqube.common.language.FortifyLanguage; 34 | 35 | /** 36 | * This class defines various constants used throughout the plugin. 37 | * 38 | * @author Ruud Senden 39 | * 40 | */ 41 | public final class FortifyConstants { 42 | private FortifyConstants() {} 43 | 44 | /** SonarQube key for the Fortify language, see {@link FortifyLanguage} */ 45 | public static final String FTFY_LANGUAGE_KEY = "fortify"; 46 | 47 | /** Map containing Fortify friority to SonarQube severity mapping */ 48 | private static final Map MAP_FRIORITY_TO_SEVERITY = getFriorityToSeverityMap(); 49 | 50 | public static final String PROPERTY_CATEGORY_GENERIC = "Fortify"; 51 | public static final String PROPERTY_CATEGORY_FOD = "Fortify - FoD"; 52 | public static final String PROPERTY_CATEGORY_SSC = "Fortify - SSC"; 53 | 54 | /** 55 | * Get the SonarQube severity for the given Fortify friority 56 | * @param friority 57 | * @return 58 | */ 59 | public static final Severity FRIORITY_TO_SEVERITY(String friority) { 60 | return MAP_FRIORITY_TO_SEVERITY.getOrDefault(friority, Severity.INFO); 61 | } 62 | 63 | /** 64 | * Generate the static map containing Fortify friority to SonarQube severity mapping 65 | * @return 66 | */ 67 | private static final Map getFriorityToSeverityMap() { 68 | // TODO Med: Review this mapping 69 | Map result = new HashMap(); 70 | result.put("critical", Severity.BLOCKER); 71 | result.put("high", Severity.CRITICAL); 72 | result.put("medium", Severity.MAJOR); 73 | result.put("low", Severity.MINOR); 74 | return Collections.unmodifiableMap(result); 75 | } 76 | } 77 | -------------------------------------------------------------------------------- /plugin/src/main/java/com/fortify/integration/sonarqube/sq67/scanner/FortifySQ67AbstractSensor.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.integration.sonarqube.sq67.scanner; 26 | 27 | import org.sonar.api.batch.InstantiationStrategy; 28 | import org.sonar.api.batch.ScannerSide; 29 | import org.sonar.api.batch.sensor.Sensor; 30 | import org.sonar.api.batch.sensor.SensorContext; 31 | import org.sonar.api.utils.log.Logger; 32 | import org.sonar.api.utils.log.Loggers; 33 | 34 | import com.fortify.integration.sonarqube.common.IFortifyConnectionHelper; 35 | 36 | /** 37 | * This 6.7-specific abstract {@link Sensor} base class provides functionality 38 | * for storing the scanner-side connection helper, and executing concrete sensor 39 | * implementations only if an SSC connection is available and the sensor is active. 40 | * Contrary to the 7.6-specific implementation, implementations extending from this 41 | * based class are executed separately for every module, instead of being executed 42 | * only once per project. 43 | * 44 | * @author Ruud Senden 45 | * 46 | */ 47 | @ScannerSide 48 | @InstantiationStrategy(InstantiationStrategy.PER_BATCH) 49 | public abstract class FortifySQ67AbstractSensor> implements Sensor { 50 | private static final Logger LOG = Loggers.get(FortifySQ67AbstractSensor.class); 51 | private final CH connHelper; 52 | 53 | public FortifySQ67AbstractSensor(CH connHelper) { 54 | this.connHelper = connHelper; 55 | } 56 | 57 | @Override 58 | public final void execute(SensorContext context) { 59 | if ( !connHelper.isConnectionAvailable() ) { 60 | LOG.info("Skipping sensor execution; SSC connection has not been configured"); 61 | } else if ( !isActive(context) ) { 62 | LOG.info("Skipping sensor execution; sensor is not active"); 63 | } else { 64 | _execute(context); 65 | } 66 | } 67 | 68 | protected abstract void _execute(SensorContext context); 69 | 70 | protected boolean isActive(SensorContext context) { 71 | return true; 72 | } 73 | 74 | public final CH getConnHelper() { 75 | return connHelper; 76 | } 77 | } 78 | -------------------------------------------------------------------------------- /plugin/src/main/java/com/fortify/integration/sonarqube/common/source/fod/metrics/FortifyFoDConnectionPropertiesMetrics.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.integration.sonarqube.common.source.fod.metrics; 26 | 27 | import java.util.Arrays; 28 | import java.util.List; 29 | 30 | import org.sonar.api.measures.Metric; 31 | import org.sonar.api.measures.Metrics; 32 | 33 | @SuppressWarnings("rawtypes") 34 | public class FortifyFoDConnectionPropertiesMetrics implements Metrics { 35 | public static final String PRP_FOD_URL = "fortify.fod.url"; 36 | public static final String PRP_FOD_TENANT = "fortify.fod.tenant"; 37 | public static final String PRP_FOD_USER = "fortify.fod.user"; 38 | public static final String PRP_FOD_PWD = "fortify.fod.pwd"; 39 | public static final String PRP_FOD_RELEASE_ID = "fortify.fod.releaseId"; 40 | 41 | public static final Metric METRIC_FOD_URL = new Metric.Builder(PRP_FOD_URL, "FoD URL", Metric.ValueType.STRING) 42 | .setDomain("Fortify").setHidden(true).create(); 43 | public static final Metric METRIC_FOD_TENANT = new Metric.Builder(PRP_FOD_TENANT, "FoD Tenant", Metric.ValueType.STRING) 44 | .setDomain("Fortify").setHidden(true).create(); 45 | public static final Metric METRIC_FOD_USER = new Metric.Builder(PRP_FOD_USER, "FoD User", Metric.ValueType.STRING) 46 | .setDomain("Fortify").setHidden(true).create(); 47 | public static final Metric METRIC_FOD_PWD = new Metric.Builder(PRP_FOD_PWD, "FoD Password", Metric.ValueType.STRING) 48 | .setDomain("Fortify").setHidden(true).create(); 49 | 50 | public static final Metric METRIC_FOD_RELEASE_ID = new Metric.Builder(PRP_FOD_RELEASE_ID, "FoD Release Id", Metric.ValueType.STRING) 51 | .setDomain("Fortify").setHidden(true).create(); 52 | 53 | public static final String[] METRICS_KEYS = {PRP_FOD_URL, PRP_FOD_TENANT, PRP_FOD_USER, PRP_FOD_PWD, PRP_FOD_RELEASE_ID}; 54 | private static final List METRICS = Arrays.asList(new Metric[] {METRIC_FOD_URL, METRIC_FOD_TENANT, METRIC_FOD_USER, METRIC_FOD_PWD, METRIC_FOD_RELEASE_ID}); 55 | 56 | @Override 57 | public List getMetrics() { 58 | return METRICS; 59 | } 60 | } 61 | -------------------------------------------------------------------------------- /common/src/main/java/com/fortify/integration/sonarqube/common/ssc/SSCMetricsExpressionField.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.integration.sonarqube.common.ssc; 26 | 27 | import java.util.LinkedHashMap; 28 | import java.util.Map; 29 | 30 | import com.fortify.integration.sonarqube.common.IMetricsExpressionField; 31 | import com.fortify.integration.sonarqube.common.MetricsExpressionFieldsHTMLDescriptionHelper; 32 | 33 | public enum SSCMetricsExpressionField implements IMetricsExpressionField { 34 | filterSets("All fields returned by the /api/v1/projectVersions/${id}/filterSets endpoint"), 35 | performanceIndicatorHistories("All fields returned by the /api/v1/projectVersions/${id}/performanceIndicatorHistories endpoint"), 36 | variableHistories("All fields returned by the /api/v1/projectVersions/${id}/variableHistories endpoint"), 37 | var("Variable value by name, i.e. var['variableName']"), 38 | pi("Performance indicator value by name, i.e. pi['performanceIndicatorName']"), 39 | scaArtifact("For the most recent artifact that has not yet been processed, or most recent SCA artifact, all fields returned by the /api/v1/projectVersions/${id}/artifacts endpoint"); 40 | 41 | 42 | private final String description; 43 | 44 | SSCMetricsExpressionField(String description) { 45 | this.description = description; 46 | } 47 | 48 | public String description() { 49 | return description; 50 | } 51 | 52 | public static final String getMetricsExpressionFieldsHTMLDescription() { 53 | final Map examples = new LinkedHashMap<>(); 54 | examples.put("name", "Application version name"); 55 | examples.put("project.name", "Application name"); 56 | examples.put("deepLink", "Deep link to application version"); 57 | examples.put("pi['Fortify Security Rating']", "Performance Indicator 'Fortify Security Rating' value"); 58 | examples.put("var['CFPO']", "Variable 'CFPO' value"); 59 | examples.put("var['CFPO']+var['HFPO']", "Sum of variable values 'CFPO' and 'HFPO'"); 60 | return MetricsExpressionFieldsHTMLDescriptionHelper 61 | .getMetricsExpressionFieldsHTMLDescription("/api/v1/projectVersions", SSCMetricsExpressionField.values(), examples); 62 | } 63 | } -------------------------------------------------------------------------------- /plugin/src/main/java/com/fortify/integration/sonarqube/common/source/fod/ce/FortifyFoDConfigurableMeasureComputer.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.integration.sonarqube.common.source.fod.ce; 26 | 27 | import com.fortify.client.fod.api.FoDReleaseAPI; 28 | import com.fortify.client.fod.connection.FoDAuthenticatingRestConnection; 29 | import com.fortify.integration.sonarqube.common.ce.AbstractFortifyConfigurableMeasureComputer; 30 | import com.fortify.integration.sonarqube.common.source.fod.metrics.FortifyFoDConfigurableMetrics; 31 | import com.fortify.util.rest.json.JSONMap; 32 | 33 | public final class FortifyFoDConfigurableMeasureComputer extends AbstractFortifyConfigurableMeasureComputer { 34 | public FortifyFoDConfigurableMeasureComputer() { 35 | super(FortifyFoDConfigurableMetrics.METRICS_CONFIG); 36 | } 37 | 38 | @Override 39 | protected final String[] getConnectionPropertiesMetricKeys() { 40 | return FortifyFoDComputeEngineSideConnectionHelper.getInputMetricKeys(); 41 | } 42 | 43 | @Override 44 | protected FortifyFoDComputeEngineSideConnectionHelper getComputeEngineSideConnectionHelper(MeasureComputerContext context) { 45 | return new FortifyFoDComputeEngineSideConnectionHelper(context); 46 | } 47 | 48 | /** 49 | * This method retrieves release data from FoD. This data includes 50 | * the standard release JSON fields, as well as various on-demand 51 | * fields that provide additional data that can be used in metric 52 | * calculations. 53 | * 54 | * @param connHelper 55 | * @return 56 | */ 57 | protected final JSONMap getConfigurableMeasuresInputData(FortifyFoDComputeEngineSideConnectionHelper connHelper) { 58 | FoDAuthenticatingRestConnection conn = connHelper.getConnection(); 59 | String releaseId = connHelper.getReleaseId(); 60 | JSONMap release = conn.api(FoDReleaseAPI.class).queryReleases() 61 | .releaseId(releaseId) 62 | // TODO Any other interesting API's that we could load on demand? 63 | .build().getUnique(); 64 | if ( release==null ) { 65 | throw new IllegalArgumentException("FoD release "+releaseId+" not found"); 66 | } 67 | return release; 68 | } 69 | } 70 | -------------------------------------------------------------------------------- /common/src/main/java/com/fortify/integration/sonarqube/common/MetricsExpressionFieldsHTMLDescriptionHelper.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.integration.sonarqube.common; 26 | 27 | import java.util.Map; 28 | 29 | public class MetricsExpressionFieldsHTMLDescriptionHelper { 30 | public static final String getDescriptionHeader() { 31 | return "

Expressions define how to calculate the metric values." 32 | + " For general information about these expressions, see the" 33 | + " Spring Expression Language (SpEL) reference at" 34 | + " https://docs.spring.io/spring/docs/4.3.22.RELEASE/spring-framework-reference/html/expressions.html." 35 | + "

"; 36 | } 37 | 38 | public static final String getMetricsExpressionFieldValuesAsHTMLListEntries(IMetricsExpressionField[] values) { 39 | StringBuffer sb = new StringBuffer(); 40 | for ( IMetricsExpressionField field : values ) { 41 | sb.append("
  • ").append(field.name()).append(" - ").append(field.description()).append("
    • "); 42 | } 43 | return sb.toString(); 44 | } 45 | 46 | public static final String getMapAsHTMLListEntries(Map map) { 47 | StringBuffer sb = new StringBuffer(); 48 | for ( Map.Entry entry : map.entrySet() ) { 49 | sb.append("
  • ").append(entry.getKey()).append(" - ").append(entry.getValue()).append("
    • "); 50 | } 51 | return sb.toString(); 52 | } 53 | 54 | public static final String getMetricsExpressionFieldsHTMLDescription(String mainEndpoint, IMetricsExpressionField[] values, Map examples) { 55 | StringBuffer sb = new StringBuffer(""); 56 | sb.append(getDescriptionHeader()); 57 | sb.append("

    The following fields can be used in these expressions:

    " 58 | + "
      " 59 | + "
    • All fields returned by the "+mainEndpoint+" endpoint
      • "); 60 | sb.append(getMetricsExpressionFieldValuesAsHTMLListEntries(values)); 61 | sb.append("
    "); 62 | if ( examples != null ) { 63 | sb.append("

    Following are some example expressions:

      "); 64 | sb.append(getMapAsHTMLListEntries(examples)); 65 | sb.append("
    "); 66 | } 67 | 68 | sb.append(""); 69 | return sb.toString(); 70 | } 71 | } 72 | -------------------------------------------------------------------------------- /configure/src/main/java/com/fortify/integration/sonarqube/configure/ExpressionHelpDialog.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.integration.sonarqube.configure; 26 | 27 | import java.awt.BorderLayout; 28 | import java.awt.FlowLayout; 29 | import java.awt.event.ActionEvent; 30 | import java.awt.event.ActionListener; 31 | 32 | import javax.swing.JButton; 33 | import javax.swing.JDialog; 34 | import javax.swing.JPanel; 35 | import javax.swing.JScrollPane; 36 | import javax.swing.JTextPane; 37 | import javax.swing.UIManager; 38 | import javax.swing.border.EmptyBorder; 39 | 40 | public class ExpressionHelpDialog extends JDialog { 41 | 42 | private final JPanel contentPanel = new JPanel(); 43 | private final String htmlContents; 44 | 45 | /** 46 | * Create the dialog. 47 | */ 48 | public ExpressionHelpDialog(String title, String htmlContents) { 49 | this.htmlContents = htmlContents; 50 | setTitle(title); 51 | setDefaultCloseOperation(JDialog.DISPOSE_ON_CLOSE); 52 | setBounds(100, 100, 800, 400); 53 | getContentPane().setLayout(new BorderLayout()); 54 | contentPanel.setBorder(new EmptyBorder(5, 5, 5, 5)); 55 | getContentPane().add(contentPanel, BorderLayout.CENTER); 56 | contentPanel.setLayout(new BorderLayout(0, 0)); 57 | { 58 | JTextPane txtpnDescription = new JTextPane(); 59 | txtpnDescription.setBackground(UIManager.getColor("Label.background")); 60 | txtpnDescription.setEnabled(true); 61 | txtpnDescription.setContentType("text/html"); 62 | txtpnDescription.setText(htmlContents); 63 | txtpnDescription.setEditable(false); 64 | JScrollPane scrollPane = new JScrollPane(txtpnDescription); 65 | contentPanel.add(scrollPane); 66 | } 67 | { 68 | JPanel buttonPane = new JPanel(); 69 | buttonPane.setLayout(new FlowLayout(FlowLayout.RIGHT)); 70 | getContentPane().add(buttonPane, BorderLayout.SOUTH); 71 | { 72 | JButton okButton = new JButton("OK"); 73 | okButton.addActionListener(new ActionListener() { 74 | public void actionPerformed(ActionEvent e) { 75 | setVisible(false); 76 | } 77 | }); 78 | okButton.setActionCommand("OK"); 79 | buttonPane.add(okButton); 80 | getRootPane().setDefaultButton(okButton); 81 | } 82 | } 83 | setVisible(true); 84 | } 85 | } 86 | -------------------------------------------------------------------------------- /plugin/src/main/java/com/fortify/integration/sonarqube/sq67/source/fod/scanner/FortifyFoDSQ67ConnectionPropertiesMetricsSensor.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.integration.sonarqube.sq67.source.fod.scanner; 26 | 27 | import org.sonar.api.batch.sensor.SensorContext; 28 | import org.sonar.api.batch.sensor.SensorDescriptor; 29 | 30 | import com.fortify.integration.sonarqube.common.source.fod.metrics.FortifyFoDConnectionPropertiesMetrics; 31 | import com.fortify.integration.sonarqube.common.source.fod.scanner.IFortifyFoDScannerSideConnectionHelper; 32 | import com.fortify.integration.sonarqube.sq67.scanner.FortifySQ67AbstractSensor; 33 | 34 | public final class FortifyFoDSQ67ConnectionPropertiesMetricsSensor extends FortifySQ67AbstractSensor { 35 | public FortifyFoDSQ67ConnectionPropertiesMetricsSensor(IFortifyFoDScannerSideConnectionHelper connHelper) { 36 | super(connHelper); 37 | } 38 | 39 | @Override 40 | public void describe(SensorDescriptor descriptor) { 41 | descriptor.name("Set FoD connection properties for compute engine"); 42 | } 43 | 44 | @SuppressWarnings("unchecked") 45 | @Override 46 | public void _execute(SensorContext context) { 47 | // TODO Verify whether this hidden measure can be retrieved in any way by users 48 | // that should not be able to see the FoD connection credentials. If so, 49 | // probably best to have the configuration utility generate a Yaml file with 50 | // a random shared secret to encrypt the URL/credentials here, and decrypt 51 | // this in FortifyFoDComputeEngineSideConnectionHelper. 52 | context.newMeasure().forMetric(FortifyFoDConnectionPropertiesMetrics.METRIC_FOD_URL).on(context.module()).withValue(getConnHelper().getFoDUrl()).save(); 53 | context.newMeasure().forMetric(FortifyFoDConnectionPropertiesMetrics.METRIC_FOD_TENANT).on(context.module()).withValue(getConnHelper().getFoDTenant()).save(); 54 | context.newMeasure().forMetric(FortifyFoDConnectionPropertiesMetrics.METRIC_FOD_USER).on(context.module()).withValue(getConnHelper().getFoDUser()).save(); 55 | context.newMeasure().forMetric(FortifyFoDConnectionPropertiesMetrics.METRIC_FOD_PWD).on(context.module()).withValue(getConnHelper().getFoDPassword()).save(); 56 | context.newMeasure().forMetric(FortifyFoDConnectionPropertiesMetrics.METRIC_FOD_RELEASE_ID).on(context.module()).withValue(getConnHelper().getReleaseId()).save(); 57 | } 58 | } -------------------------------------------------------------------------------- /plugin/src/main/java/com/fortify/integration/sonarqube/sq76/source/fod/scanner/FortifyFoDSQ76ConnectionPropertiesMetricsSensor.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.integration.sonarqube.sq76.source.fod.scanner; 26 | 27 | import org.sonar.api.batch.sensor.SensorContext; 28 | import org.sonar.api.batch.sensor.SensorDescriptor; 29 | 30 | import com.fortify.integration.sonarqube.common.source.fod.metrics.FortifyFoDConnectionPropertiesMetrics; 31 | import com.fortify.integration.sonarqube.common.source.fod.scanner.IFortifyFoDScannerSideConnectionHelper; 32 | import com.fortify.integration.sonarqube.sq76.scanner.FortifySQ76AbstractProjectSensor; 33 | 34 | public final class FortifyFoDSQ76ConnectionPropertiesMetricsSensor extends FortifySQ76AbstractProjectSensor { 35 | public FortifyFoDSQ76ConnectionPropertiesMetricsSensor(IFortifyFoDScannerSideConnectionHelper connHelper) { 36 | super(connHelper); 37 | } 38 | 39 | @Override 40 | public void describe(SensorDescriptor descriptor) { 41 | descriptor.name("Set FoD connection properties for compute engine"); 42 | } 43 | 44 | @SuppressWarnings("unchecked") 45 | @Override 46 | public void _execute(SensorContext context) { 47 | // TODO Verify whether this hidden measure can be retrieved in any way by users 48 | // that should not be able to see the FoD connection credentials. If so, 49 | // probably best to have the configuration utility generate a Yaml file with 50 | // a random shared secret to encrypt the URL/credentials here, and decrypt 51 | // this in FortifyFoDComputeEngineSideConnectionHelper. 52 | context.newMeasure().forMetric(FortifyFoDConnectionPropertiesMetrics.METRIC_FOD_URL).on(context.project()).withValue(getConnHelper().getFoDUrl()).save(); 53 | context.newMeasure().forMetric(FortifyFoDConnectionPropertiesMetrics.METRIC_FOD_TENANT).on(context.project()).withValue(getConnHelper().getFoDTenant()).save(); 54 | context.newMeasure().forMetric(FortifyFoDConnectionPropertiesMetrics.METRIC_FOD_USER).on(context.project()).withValue(getConnHelper().getFoDUser()).save(); 55 | context.newMeasure().forMetric(FortifyFoDConnectionPropertiesMetrics.METRIC_FOD_PWD).on(context.project()).withValue(getConnHelper().getFoDPassword()).save(); 56 | context.newMeasure().forMetric(FortifyFoDConnectionPropertiesMetrics.METRIC_FOD_RELEASE_ID).on(context.project()).withValue(getConnHelper().getReleaseId()).save(); 57 | } 58 | } -------------------------------------------------------------------------------- /plugin/src/main/java/com/fortify/integration/sonarqube/common/source/ssc/issue/FortifySSCIssueFieldsRetriever.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.integration.sonarqube.common.source.ssc.issue; 26 | 27 | import java.util.Arrays; 28 | 29 | import com.fortify.integration.sonarqube.common.issue.AbstractFortifySourceSystemIssueFieldRetriever; 30 | import com.fortify.util.rest.json.JSONMap; 31 | 32 | public final class FortifySSCIssueFieldsRetriever extends AbstractFortifySourceSystemIssueFieldRetriever { 33 | public static enum ISSUE_FIELDS { 34 | id, deepLink, engineCategory, issueName, friority, lineNumber, fullFileName; 35 | 36 | public T get(JSONMap issue, Class returnType) { 37 | return issue.get(name(), returnType); 38 | } 39 | 40 | public String get(JSONMap issue) { 41 | return get(issue, String.class); 42 | } 43 | } 44 | 45 | public static enum ISSUE_FIELDS_ON_DEMAND { 46 | details, details_detail, details_recommendation; 47 | 48 | public T get(JSONMap issue, Class returnType) { 49 | return issue.getPath(name().replace('_', '.'), returnType); 50 | } 51 | 52 | public String get(JSONMap issue) { 53 | return get(issue, String.class); 54 | } 55 | } 56 | 57 | public static final String[] ISSUE_FIELD_NAMES = Arrays.stream(ISSUE_FIELDS.values()).map(Enum::name).toArray(String[]::new); 58 | 59 | @Override 60 | public final String getId(JSONMap issue) { return ISSUE_FIELDS.id.get(issue); } 61 | 62 | @Override 63 | public final String getFileName(JSONMap issue) { return ISSUE_FIELDS.fullFileName.get(issue); } 64 | 65 | @Override 66 | public final String getFriority(JSONMap issue) { return ISSUE_FIELDS.friority.get(issue); } 67 | 68 | @Override 69 | public final Integer getLineNumber(JSONMap issue) { return ISSUE_FIELDS.lineNumber.get(issue, Integer.class); } 70 | 71 | @Override 72 | public final String getCategory(JSONMap issue) { return ISSUE_FIELDS.issueName.get(issue); } 73 | 74 | @Override 75 | public final String getDeepLink(JSONMap issue) { return ISSUE_FIELDS.deepLink.get(issue); } 76 | 77 | @Override 78 | public String getRuleDescription(JSONMap issue) { 79 | String style = ""; 80 | String detail = ISSUE_FIELDS_ON_DEMAND.details_detail.get(issue); 81 | String recommendation = ISSUE_FIELDS_ON_DEMAND.details_recommendation.get(issue); 82 | 83 | return style+(detail+"\n\n"+recommendation).replace("\n", "
    \n"); 84 | } 85 | } 86 | -------------------------------------------------------------------------------- /plugin/src/main/java/com/fortify/integration/sonarqube/common/issue/FortifyIssueRuleKeysRetrieverExternalList.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.integration.sonarqube.common.issue; 26 | 27 | import java.util.ArrayList; 28 | import java.util.Arrays; 29 | import java.util.Collection; 30 | 31 | import org.sonar.api.batch.rule.ActiveRule; 32 | import org.sonar.api.batch.sensor.SensorContext; 33 | import org.sonar.api.rule.RuleKey; 34 | import org.sonar.api.utils.log.Logger; 35 | import org.sonar.api.utils.log.Loggers; 36 | 37 | import com.fortify.integration.sonarqube.common.externalmetadata.ExternalCategory; 38 | import com.fortify.integration.sonarqube.common.externalmetadata.ExternalList; 39 | import com.fortify.integration.sonarqube.common.rule.FortifyRulesDefinition; 40 | import com.fortify.util.rest.json.JSONMap; 41 | 42 | public class FortifyIssueRuleKeysRetrieverExternalList implements IFortifyIssueRuleKeysRetriever { 43 | private static final Logger LOG = Loggers.get(FortifyIssueRuleKeysRetrieverExternalList.class); 44 | private final SensorContext context; 45 | private final ExternalList externalList; 46 | 47 | public FortifyIssueRuleKeysRetrieverExternalList(SensorContext context, ExternalList externalList) { 48 | this.context = context; 49 | this.externalList = externalList; 50 | } 51 | 52 | @Override 53 | public Collection getRuleKeys(IFortifySourceSystemIssueFieldRetriever issueFieldRetriever, JSONMap issue) { 54 | String fortifyCategory = issueFieldRetriever.getCategory(issue); 55 | Collection externalCategories = externalList.getExternalCategoriesForFortifyCategory(fortifyCategory); 56 | if ( externalCategories==null ) { 57 | LOG.debug("Fortify category "+fortifyCategory+" not mapped to any external categories"); 58 | ActiveRule otherRule = context.activeRules().findByInternalKey(FortifyRulesDefinition.REPOSITORY_KEY, FortifyRulesDefinition.RULE_KEY_OTHER); 59 | return otherRule == null ? null : Arrays.asList(otherRule.ruleKey()); 60 | } else { 61 | if ( LOG.isDebugEnabled() ) { 62 | LOG.debug("Mapped fortify category "+fortifyCategory+" to external categories "+externalCategories); 63 | } 64 | Collection result = new ArrayList<>(); 65 | externalCategories.forEach(externalCategory-> { 66 | ActiveRule activeRule = context.activeRules().findByInternalKey(FortifyRulesDefinition.REPOSITORY_KEY, externalCategory.getName()); 67 | if ( activeRule != null ) { result.add(activeRule.ruleKey()); } 68 | }); 69 | return result; 70 | } 71 | } 72 | 73 | } 74 | -------------------------------------------------------------------------------- /plugin/src/main/java/com/fortify/integration/sonarqube/common/issue/FortifyIssueInputFileRetrieverPathBased.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.integration.sonarqube.common.issue; 26 | 27 | import java.nio.file.Path; 28 | import java.nio.file.Paths; 29 | import java.util.Comparator; 30 | import java.util.List; 31 | import java.util.stream.Collectors; 32 | import java.util.stream.StreamSupport; 33 | 34 | import org.sonar.api.batch.fs.FileSystem; 35 | import org.sonar.api.batch.fs.InputFile; 36 | import org.sonar.api.batch.sensor.SensorContext; 37 | import org.sonar.api.utils.log.Logger; 38 | import org.sonar.api.utils.log.Loggers; 39 | 40 | import com.fortify.util.rest.json.JSONMap; 41 | 42 | public class FortifyIssueInputFileRetrieverPathBased implements IFortifyIssueInputFileRetriever { 43 | private static final Logger LOG = Loggers.get(FortifyIssueInputFileRetrieverPathBased.class); 44 | protected final List inputFiles; 45 | 46 | public FortifyIssueInputFileRetrieverPathBased(SensorContext context) { 47 | this.inputFiles = getInputFilesSortedByPathLength(context.fileSystem()); 48 | } 49 | @Override 50 | public InputFile getInputFile(IFortifySourceSystemIssueFieldRetriever issueFieldRetriever, JSONMap issue) { 51 | String fortifyFileName = issueFieldRetriever.getFileName(issue); 52 | Path fortifyFilePath = null; 53 | try { 54 | fortifyFilePath = Paths.get(fortifyFileName); 55 | } catch ( RuntimeException e ) { 56 | // This can happen, for example, if the Fortify file name is a URL and thus cannot be parsed as Path 57 | LOG.debug("Unable to resolve input file for "+fortifyFileName+", returning null", e); 58 | return null; 59 | } 60 | for ( InputFile inputFile : inputFiles ) { 61 | Path path = inputFile.path(); 62 | if ( path.endsWith(fortifyFilePath) ) { 63 | return inputFile; 64 | } 65 | } 66 | 67 | LOG.debug("No input file found for "+fortifyFileName+", returning null"); 68 | return null; 69 | } 70 | 71 | // We sort by path name length, such that shorter paths will be matched first 72 | private static final List getInputFilesSortedByPathLength(FileSystem fs) { 73 | // This uses deprecated SQ API, but there seems to be no non-deprecated methods for getting 74 | // the full file name; uri() is not deprecated but not guaranteed to return the actual file 75 | // location. 76 | List result = StreamSupport.stream(fs.inputFiles(fs.predicates().all()).spliterator(), false).collect(Collectors.toList()); 77 | result.sort(Comparator.comparingInt(inputFile -> inputFile.path().toString().length())); 78 | return result; 79 | } 80 | 81 | } 82 | -------------------------------------------------------------------------------- /plugin/src/main/java/com/fortify/integration/sonarqube/sq76/source/fod/scanner/FortifyFoDSQ76IssueSensor.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.integration.sonarqube.sq76.source.fod.scanner; 26 | 27 | import org.sonar.api.batch.sensor.SensorContext; 28 | import org.sonar.api.batch.sensor.SensorDescriptor; 29 | import org.sonar.api.scanner.ScannerSide; 30 | 31 | import com.fortify.integration.sonarqube.common.issue.FortifyIssuesProcessor; 32 | import com.fortify.integration.sonarqube.common.source.fod.issue.FortifyFoDIssueFieldsRetriever; 33 | import com.fortify.integration.sonarqube.common.source.fod.issue.FortifyFoDIssueQueryHelper; 34 | import com.fortify.integration.sonarqube.common.source.fod.scanner.IFortifyFoDScannerSideConnectionHelper; 35 | import com.fortify.integration.sonarqube.sq76.issue.FortifySQ76IssueJSONMapProcessorFactory; 36 | import com.fortify.integration.sonarqube.sq76.scanner.FortifySQ76AbstractProjectSensor; 37 | import com.fortify.integration.sonarqube.sq76.scanner.FortifySQ76IssueSensorProperties; 38 | 39 | 40 | /** 41 | * This {@link FortifySQ76AbstractProjectSensor} implementation retrieves vulnerability data from FoD and 42 | * reports these vulnerabilities as SonarQube issues. 43 | * 44 | * TODO Add more JavaDoc 45 | * 46 | * @author Ruud Senden 47 | * 48 | */ 49 | @ScannerSide 50 | public class FortifyFoDSQ76IssueSensor extends FortifySQ76AbstractProjectSensor { 51 | private final FortifySQ76IssueSensorProperties sensorProperties; 52 | private final FortifyIssuesProcessor issuesProcessor; 53 | 54 | /** 55 | * Constructor for injecting dependencies 56 | * @param connFactory 57 | */ 58 | public FortifyFoDSQ76IssueSensor(IFortifyFoDScannerSideConnectionHelper connHelper, FortifySQ76IssueSensorProperties sensorProperties) { 59 | super(connHelper); 60 | this.sensorProperties = sensorProperties; 61 | this.issuesProcessor = new FortifyIssuesProcessor( 62 | new FortifyFoDIssueQueryHelper(getConnHelper()), 63 | new FortifySQ76IssueJSONMapProcessorFactory(new FortifyFoDIssueFieldsRetriever(), sensorProperties)); 64 | } 65 | 66 | @Override 67 | public void describe(SensorDescriptor descriptor) { 68 | descriptor.name("Fortify FoD issue collection"); 69 | } 70 | 71 | /** 72 | * Sensor implementation that retrieves issue details from SSC, and reports them as SonarQube violations 73 | */ 74 | @Override 75 | public void _execute(SensorContext context) { 76 | issuesProcessor.processIssues(context); 77 | } 78 | 79 | /** 80 | * @param context 81 | * @return true if SSC connection is available and issue collection is enabled, false otherwise 82 | */ 83 | @Override 84 | protected final boolean isActive(SensorContext context) { 85 | return sensorProperties.isIssueCollectionEnabled(); 86 | } 87 | } -------------------------------------------------------------------------------- /plugin/src/main/java/com/fortify/integration/sonarqube/sq76/source/ssc/scanner/FortifySSCSQ76IssueSensor.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.integration.sonarqube.sq76.source.ssc.scanner; 26 | 27 | import org.sonar.api.batch.sensor.SensorContext; 28 | import org.sonar.api.batch.sensor.SensorDescriptor; 29 | import org.sonar.api.scanner.ScannerSide; 30 | 31 | import com.fortify.integration.sonarqube.common.issue.FortifyIssuesProcessor; 32 | import com.fortify.integration.sonarqube.common.source.ssc.issue.FortifySSCIssueFieldsRetriever; 33 | import com.fortify.integration.sonarqube.common.source.ssc.issue.FortifySSCIssueQueryHelper; 34 | import com.fortify.integration.sonarqube.common.source.ssc.scanner.IFortifySSCScannerSideConnectionHelper; 35 | import com.fortify.integration.sonarqube.sq76.issue.FortifySQ76IssueJSONMapProcessorFactory; 36 | import com.fortify.integration.sonarqube.sq76.scanner.FortifySQ76AbstractProjectSensor; 37 | import com.fortify.integration.sonarqube.sq76.scanner.FortifySQ76IssueSensorProperties; 38 | 39 | 40 | /** 41 | * This {@link FortifySSCSQ76AbstractProjectSensor} implementation retrieves vulnerability data from SSC and 42 | * reports these vulnerabilities as SonarQube issues. 43 | * 44 | * TODO Add more JavaDoc 45 | * 46 | * @author Ruud Senden 47 | * 48 | */ 49 | @ScannerSide 50 | public class FortifySSCSQ76IssueSensor extends FortifySQ76AbstractProjectSensor { 51 | private final FortifySQ76IssueSensorProperties sensorProperties; 52 | private final FortifyIssuesProcessor issuesProcessor; 53 | 54 | /** 55 | * Constructor for injecting dependencies 56 | * @param connFactory 57 | */ 58 | public FortifySSCSQ76IssueSensor(IFortifySSCScannerSideConnectionHelper connHelper, FortifySQ76IssueSensorProperties sensorProperties) { 59 | super(connHelper); 60 | this.sensorProperties = sensorProperties; 61 | this.issuesProcessor = new FortifyIssuesProcessor( 62 | new FortifySSCIssueQueryHelper(getConnHelper()), 63 | new FortifySQ76IssueJSONMapProcessorFactory(new FortifySSCIssueFieldsRetriever(), sensorProperties)); 64 | } 65 | 66 | @Override 67 | public void describe(SensorDescriptor descriptor) { 68 | descriptor.name("Fortify SSC issue collection"); 69 | } 70 | 71 | /** 72 | * Sensor implementation that retrieves issue details from SSC, and reports them as SonarQube violations 73 | */ 74 | @Override 75 | public void _execute(SensorContext context) { 76 | issuesProcessor.processIssues(context); 77 | } 78 | 79 | /** 80 | * @param context 81 | * @return true if SSC connection is available and issue collection is enabled, false otherwise 82 | */ 83 | @Override 84 | protected final boolean isActive(SensorContext context) { 85 | return sensorProperties.isIssueCollectionEnabled(); 86 | } 87 | } -------------------------------------------------------------------------------- /common/src/main/java/com/fortify/integration/sonarqube/common/externalmetadata/FortifyExternalMetadata.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | package com.fortify.integration.sonarqube.common.externalmetadata; 26 | 27 | import java.net.URL; 28 | import java.util.Collection; 29 | import java.util.Collections; 30 | import java.util.LinkedHashMap; 31 | import java.util.Map; 32 | 33 | import javax.xml.stream.FactoryConfigurationError; 34 | import javax.xml.stream.XMLInputFactory; 35 | import javax.xml.stream.XMLStreamException; 36 | 37 | import org.apache.commons.lang.builder.ReflectionToStringBuilder; 38 | import org.codehaus.staxmate.SMInputFactory; 39 | import org.codehaus.staxmate.in.SMHierarchicCursor; 40 | import org.codehaus.staxmate.in.SMInputCursor; 41 | 42 | public class FortifyExternalMetadata { 43 | private final Map externalLists; 44 | 45 | private FortifyExternalMetadata(Map externalLists) { 46 | this.externalLists = Collections.unmodifiableMap(externalLists); 47 | } 48 | 49 | public ExternalList getExternalListByName(String name) { 50 | return externalLists.get(name); 51 | } 52 | 53 | public Collection getExternalListNames() { 54 | return externalLists.keySet(); 55 | } 56 | 57 | public static final FortifyExternalMetadata parse() { 58 | try { 59 | URL url = FortifyExternalMetadata.class.getClassLoader().getResource("externalmetadata.xml"); 60 | if ( url == null ) { return null; } 61 | return parse(url); 62 | } catch (Exception e) { 63 | throw new RuntimeException("Unexpected error during the parse of externalmetadata.xml", e); 64 | } 65 | } 66 | 67 | public static final FortifyExternalMetadata parse(URL url) throws XMLStreamException { 68 | Map map = new LinkedHashMap<>(); 69 | SMHierarchicCursor rootC = getInputFactory().rootElementCursor(url); 70 | rootC.advance(); // 71 | 72 | SMInputCursor externalMetadataPackCursor = rootC.childCursor(); 73 | 74 | while (externalMetadataPackCursor.getNext() != null) { 75 | if ("ExternalList".equals(externalMetadataPackCursor.getLocalName())) { 76 | ExternalList externalList = ExternalList.parse(externalMetadataPackCursor.childCursor()); 77 | map.put(externalList.getName(), externalList); 78 | } 79 | } 80 | return new FortifyExternalMetadata(map); 81 | } 82 | 83 | private static final SMInputFactory getInputFactory() throws FactoryConfigurationError { 84 | XMLInputFactory xmlFactory = XMLInputFactory.newInstance(); 85 | xmlFactory.setProperty(XMLInputFactory.IS_COALESCING, Boolean.TRUE); 86 | xmlFactory.setProperty(XMLInputFactory.IS_NAMESPACE_AWARE, Boolean.FALSE); 87 | // just so it won't try to load DTD in if there's DOCTYPE 88 | xmlFactory.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE); 89 | xmlFactory.setProperty(XMLInputFactory.IS_VALIDATING, Boolean.FALSE); 90 | return new SMInputFactory(xmlFactory); 91 | } 92 | 93 | @Override 94 | public String toString() { 95 | return ReflectionToStringBuilder.toString(this); 96 | } 97 | } -------------------------------------------------------------------------------- /plugin/src/main/java/com/fortify/integration/sonarqube/common/package-info.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * (c) Copyright 2020 Micro Focus or one of its affiliates, a Micro Focus company 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining a 5 | * copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including without 7 | * limitation the rights to use, copy, modify, merge, publish, distribute, 8 | * sublicense, and/or sell copies of the Software, and to permit persons to 9 | * whom the Software is furnished to do so, subject to the following 10 | * conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included 13 | * in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 16 | * KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 17 | * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 18 | * PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 20 | * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 21 | * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 23 | * IN THE SOFTWARE. 24 | ******************************************************************************/ 25 | 26 | /** 27 | *

    This package contains common SonarQube plugin code that is shared between the 28 | * various version-specific plugin implementations. Any code in this package and 29 | * sub-packages should compile without any errors against all SonarQube API versions 30 | * that are supported by the plugin. Also, unless there is no work-around, all code 31 | * should compile against the latest supported SonarQube API version without any 32 | * deprecation warnings. Compatibility with specific SonarQube API versions can be 33 | * easily verified using the various Maven profiles (see the root pom.xml file).

    34 | * 35 | *

    In general, this package provides the following functionality:

    36 | *
      37 | *
    • Helpers classes and common functionality like connection handling.
      • 38 | *
    • Full implementations for SonarQube extensions that are shared as-is 39 | * between the various version-specific implementations; the SonarQube 40 | * API's and annotations used by these extensions are fully supported 41 | * and not deprecated for all supported SonarQube API versions.

      42 | *
    • Partial implementations for SonarQube extensions for which a full 43 | * implementation cannot be provided without depending on API's that 44 | * have been deprecated in the latest SonarQube API version. The 45 | * version-specific packages extend these partial implementations by 46 | * adding the version-specific SonarQube annotations.

      47 | * Note that in most cases, we could have simply provided a single 48 | * implementation used for all supported SonarQube API versions, using 49 | * API's and annotations that are deprecated in the latest API version; 50 | * likely these deprecated API's are still supported by the current 51 | * latest SonarQube version. However the use of deprecated annotations 52 | * and API's increases the likelihood that the plugin will no longer 53 | * function with future SonarQube versions, if support for these deprecated 54 | * API's is dropped completely. As such, the plugin implementation for the 55 | * latest available SonarQube version (including any common code) should 56 | * avoid the use of deprecated API's, to make the plugin as future-proof 57 | * as possible.
      • 58 | *
    59 | * 60 | *

    In practice, most of the scanner/batch-side annotations and interfaces have 61 | * been deprecated somewhere between SonarQube API versions 6.7 and 7.6. As such, 62 | * for all scanner/batch-side extensions, only a partial implementation is provided 63 | * in this common package.

    64 | * 65 | *

    In most cases, the version-specific extensions just needs to extend from the 66 | * partial implementation class provided in the common package, and add the relevant 67 | * version-specific annotations. For sensors, also some interfaces and bases classes 68 | * have been deprecated, so the version-specific implementations are further apart.

    69 | * 70 | */ 71 | 72 | package com.fortify.integration.sonarqube.common; --------------------------------------------------------------------------------