Commit 4593825c authored by Pierre Smeyers's avatar Pierre Smeyers
Browse files

Merge branch 'feature/sast-sonar-report' into 'main' 

docs(sonar): add sonar vulnerability reporting details

Closes #90

See merge request to-be-continuous/maven!131
parents c975209e 2d5c990b

README.md

+9 −0
Original line number Diff line number Diff line
@@ -171,6 +171,15 @@ If using Community Edition, you'll have to install the [sonarqube-community-bran 


Without disabling the job, you can still exclude a particular project by defining a property `<sonar.skip>true</sonar.skip>` in the pom.xml of the project or module you want to exclude.



**Output artifacts:**



When the SonarQube [Quality Gate](https://docs.sonarsource.com/sonarqube-server/latest/quality-standards-administration/managing-quality-gates/introduction/) is enabled (using `sonar-quality-gate-enabled` / `SONAR_QUALITY_GATE_ENABLED`), this job produces a GitLab SAST report `mvn-sonar.gitlab-sast.json`, generated from SonarQube as part of the [Vulnerability Reporting integration](https://docs.sonarsource.com/sonarqube-server/devops-platform-integration/gitlab-integration/setting-up-at-project-level#reporting-vulnerabilities), containing the detected security findings. Artifacts are retained for one day and are downloadable only by users with the Developer role or higher in GitLab.



The following reports are generated:



| Report         | Format                                                                       | Usage             |

| -------------- | ---------------------------------------------------------------------------- | ----------------- |

| `$MAVEN_PROJECT_DIR/reports/mvn-sonar.gitlab-sast.json` | [Gitlab SAST](https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/master/src/sast-report-format.json?ref_type=heads) report | [GitLab integration](https://docs.gitlab.com/ci/yaml/artifacts_reports/#artifactsreportssast) |



### `mvn-dependency-check` job

templates/gitlab-ci-maven.yml

+8 −8
Original line number Diff line number Diff line
@@ -766,19 +766,19 @@ mvn-sonar: 
    - |

      if [[ "$SONAR_QUALITY_GATE_ENABLED" == "true" ]]

      then

        log_info "Return a list of vulnerabilities according to the GitLab SAST JSON format, based on SonarQube issues for project \\e[33;1m${SONAR_PROJECT_KEY}\\e[0m..."

        log_info "Retrieve GitLab SAST report from SonarQube for project \\e[33;1m${SONAR_PROJECT_KEY}\\e[0m..."

        mkdir -p ./reports

        sonar_api_params="projectKey=${SONAR_PROJECT_KEY}"

        if [ -z "${CI_MERGE_REQUEST_IID}" ]; then

          sonar_api_params="${sonar_api_params}&branch=${CI_COMMIT_BRANCH}"

        sonar_api_params="projectKey=$SONAR_PROJECT_KEY"

        if [ "${CI_MERGE_REQUEST_IID}" ]; then

          sonar_api_params="${sonar_api_params}&pullRequest=$CI_MERGE_REQUEST_IID"

        else

          sonar_api_params="${sonar_api_params}&pullRequest=${CI_MERGE_REQUEST_IID}"

          sonar_api_params="${sonar_api_params}&branch=$CI_COMMIT_REF_NAME"

        fi

        curl -u "${SONAR_TOKEN}:" "${SONAR_HOST_URL}/api/issues/gitlab_sast_export?${sonar_api_params}" -o ./reports/mvn-sonar.gitlab-sast.json # gitleaks:allow

      else

        log_info "SONAR_QUALITY_GATE_ENABLED is not set to true — skipping GitLab SAST export and report generation"

        log_info "ℹ️ If you wish to retrieve GitLab SAST report from SonarQube, please set SONAR_QUALITY_GATE_ENABLED to true"

      fi

      exit $exit_code

      - exit $exit_code

  rules:

    # exclude if $SONAR_URL and $SONAR_HOST_URL not set

    - if: '($SONAR_HOST_URL == null || $SONAR_HOST_URL == "") && ($SONAR_URL == null || $SONAR_URL == "")'