This repository contains a SonarQube Plugin that detects cryptographic assets in source code and generates CBOM.
| Plugin Version | SonarQube Version |
|---|---|
| 1.2.0 and up | SonarQube 9.8 and up |
Warning
There is an issue with SonarQube versions 10.5.0 and above that affects the functionality of our plugin. Specifically, our custom rules are not being executed correctly, resulting in no detections. This problem is due to an issue on the SonarQube side and is being tracked on this discussion of the Sonar Community forum.
| Language | Cryptographic Library | Coverage |
|---|---|---|
| Java | JCA | 100% |
| BouncyCastle (light-weight API) | 100%1 | |
| Python | pyca/cryptography | 100% |
Note
The plugin is designed in a modular way so that it can be extended to support additional languages and recognition rules to support more libraries.
- To add support for another language or cryptography library, see Extending the Sonar Cryptography Plugin to add support for another language or cryptography library
- If you just want to know more about the syntax for writing new detection rules, see Writing new detection rules for the Sonar Cryptography Plugin
Copy the plugin (the JAR file from the latest releases)
to $SONARQUBE_HOME/extensions/plugins and restart
SonarQube (more).
Note
We are currently in the process of adding the plugin to the SonarQube marketplace. You will then be able to install the plugin directly via the marketplace (only applicable for the community version, see).
The plugin provides new inventory rules (IBM Cryptography Repository) regarding the use of cryptography for
the supported languages.
If you enable these rules, a source code scan creates a cryptographic inventory by creating a
CBOM with all cryptographic assets and writing
a cbom.json to the scan directory.
This plugin incorporates rules specifically focused on cryptography.
To generate a Cryptography Bill of Materials (CBOM), it is mandatory to activate at least one of these cryptography-related rules.
As of the current version, the plugin contains one single rule for creating a cryptographic inventory. Future updates may introduce additional rules to expand functionality.
Now you can follow the SonarQube documentation to start your first scan.
Once you have scanned your source code with the plugin, and obtained a cbom.json file, you can use IBM's CBOM Viewer service to know more about it.
It provides you with general insights about the cryptography used in your source code and its compliance with post-quantum safety.
It also allows you to explore precisely each cryptography asset and its detailed specification, and displays where it appears in your code.
If you'd like to contribute to Sonar Cryptography Plugin, please take a look at our contribution guidelines. By participating, you are expected to uphold our code of conduct.
We use GitHub issues for tracking requests and bugs. For questions start a discussion using GitHub Discussions.
Footnotes
-
We only cover the BouncyCastle light-weight API according to this specification ↩