Integrates OWASP Zed Attack Proxy reports into SonarQube
Switch branches/tags
Nothing to show
Clone or download

README.md

Build Status Codacy Badge Maintainability DepShield Badge

ZAP Plugin for SonarQube 6.x

Integrates OWASP ZAP reports into SonarQube v6.7.5 or higher. The target version of SonarQube is the current LTS version.

About ZAP

OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.

It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.

ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

Screenshots

alt tag

Metrics

The plugin keeps track of the following statistics:

  • Total number of high, medium, low, and info severity findings

Additionally, the following metric is defined:

Identified Risk Score (IRS)

(high * 5) + (medium * 3) + (low * 1)

The IRS is simply a weighted measurement of the vulnerabilities identified during a scan. It does not measure the actual risk posed by the findings.

Installation

Copy the plugin (jar file) to $SONAR_INSTALL_DIR/extensions/plugins and restart SonarQube.

Plugin Configuration

A typical SonarQube configuration will have the following parameters. This example assumes the use of a Jenkins workspace, but can easily be altered for other CI/CD systems.

sonar.zaproxy.reportPath=${WORKSPACE}/zaproxy-report.xml
# Optional - specifies additional rules outside of what's included in the core
sonar.zaproxy.rulesFilePath=${WORKSPACE}/myrules.xml

Compiling

$ mvn clean package

This will build the plugin into a jar file into sonar-zap-plugin/target/sonar-zap-plugin-<version>.jar.

If the docker property is set, a Docker image will also be created for testing. The image will be named org.sonarsource.owasp/sonar-zap-plugin:<version> and will have the supported version of SonarQube pulled from Docker Hub with the newly-built zap-sonar-plugin installed.

To make sure the Docker image is always created when building locally, you can set the docker property in an active profile in your settings.xml:

    <settings>
    ...
      <profiles>
        <profile>
          <id>docker</id>
          <properties>
            <docker>true</docker>
          </properties>
        </profile>
      </profiles>

      <activeProfiles>
        <activeProfile>docker</activeProfile>
      </activeProfiles>
    ...
    </settings>

Testing

Once the Docker image is built, it can be started with

$ docker run -d --name sonarqube -p 9000:9000 -p 9092:9092 org.sonarsource.owasp/sonar-zap-plugin:version

The SonarQube server may take a few minutes to start. You can check it with

$ docker logs sonarqube

and look for a line that says SonarQube is up.

Then run an analysis using the test report:

$ cd sonar-zap-plugin
$ mvn sonar:sonar -Dsonar.zaproxy.reportPath=$(pwd)/src/test/resources/report/zaproxy-report.xml

The path must be an absolute path. If your shell does not support $(pwd), replace it with the full path to the test report.

The results can be viewed at http://localhost:9000/project/issues?id=org.sonarsource.owasp%3Asonar-zap-plugin&resolved=false&tags=zaproxy. There should be 14 issues: 1 Major, 9 Minor, 4 Info.

History

The ZAP SonarQube Plugin is derived from the OWASP Dependency-Check SonarQube Plugin. Version 1.0 of the Dependency-Check plugin was forked by Polymont with the intent of creating a generic OWASP SonarQube plugin to support any OWASP project. The ZAP team wanted their own SonarQube plugin independent of any other project. In addition, a number of critical defects were discovered in the initial release of the Dependency-Check SonarQube plugin that were later fixed in subsequent releases, but never addressed in the generic OWASP version. The ZAP SonarQube Plugin is based on v1.0.3 of the Dependency-Check SonarQube plugin with ZAP-specific contributions by Polymont.

License

Permission to modify and redistribute is granted under the terms of the LGPLv3 license.