I have integrated SonarQube and Checkmarx SAST and SCA into the Azure DevOps build pipeline. I am able to see both the SonarQube and Checkmarx reports without any issues.
I have the following questions. Could someone please clarify:
What is the difference between SonarQube and Checkmarx CxSAST?
What is the common thing between these two?
In which situations are SonarQube and Checkmarx preferred?
If I were to boil it down to a short phrase, SonarQube is used for ensuring code quality, and CheckMarx is used for ensuring the security of a system running that code.
SonarQube looks at several areas, including the code coverage percentage of unit tests of the code, duplication percentages, and also code quality issues found through static analysis of the code.
CheckMarx, on the other hand, just analyzes the flow of the code and the inputs and outputs. It looks for situations where inputs that could have been provided by an end user are used directly to control behavior, and other "attack vectors".
Related
Can we replace the Static application security testing SAST Tool like (Fortify, Checkmarx and IBM Appscan) with SonarQube.
As per the SonarQube Roadmap Docs 8.1 (https://docs.sonarqube.org/latest/) says it covered all the security rules originated from establish standard: CWE, SANS Top 25, and OWASP Top 10.
I this area no tool is the same. So when you run all those tools on the same code you will get some similar findings, some new one's and some missing (maybe false positives), depending how they implement the tool. Given the fact that SonarQube is relatively new in this field I would suggest using some other tool for this specific area also. Be aware that achieving a 100% detection result is extremely difficult/impossible.
No you could definitively not actually. The coverage of Sonar is not the same thing you should view. You must understood how they made the detections, the number os False Positive/Negative etc...
Fortify and Checkmarx do analysis of the flow inside your code. They could analyses the control you made before anything. Sonarqube is more rules based and not flow based.
I am trying to create a custom test report using Maven as my build tool, JUnit as my framework, along with selenium test cases. I was using maven's surefire report plugin but I need to include more information in my report. Can anyone direct me to a good tutorial on how to create a custom maven reporting tool?
We have a much better test automation dashboard based on just few api calls, ARES dashboard (built under Testastra and owned by ZenQ) is a much better option to try and it's absolutely free.
ARES, is an acronym for Test Automation Results dashboard. It's a TestAutomation framework/tool agonistic solution, that simplifies the collection of Test automation results and their analysis via live dashboard, daily/weekly trends, frequent failures etc. Website: http://www.testastra.com/#ares
Below repo has some code samples, documentation and usage of ARES test automation dashboard:https://github.com/testastra/ARES
Give it a try.
We would like to get unit tests and integration tests reported separately in sonarqube 6.+. currently, it shows full tests coverage.
This is not possible, SonarQube does accept coverage data from multiple sources, and it then merges them.
You should use your individual test/coverage tools to further distinguish between different types of coverage.
Trying sonarqube 6.0
Hi sonarqube experts
I've used the sonar.exclusion in the past, but its all-or-nothing kind of deal.
Given the following sections in the sonarqube dashboard:
Reliability
Security
Maintainability
Duplications
Size
Complexity
Documentation
Issues
Is there a way to cross-filter selected directorys (such as those containing thirdparty javascript libraries) so they are excluded except for Security as an example?
Usecase is to, when configuring Quality Gates, to not worry about maintainability of thirdparty javascript libraries, but to very much worry about their vulnerabilities.
Behind this request, I've the feeling that you're looking for a tool able to detect usages of API with known MITRE-CVE vulnerabilities. If this is the case, then SonarQube won't be of any help you covering this need.
I'm looking for a way to report NFR/performance quality metrics of a code, these metrics comes from the execution of unit tests and can be for example the average, minimum and maximum response times statistics, number of executions and other custom metrics.
For this, i'm thinking to create "virtual" resources that are not liked to sources on each class and test method, and report these metrics on them so that every time the tests are executed i get an idea on the impact of the last changes on performance.
I saw in other discussion that SonarQube is designed for static code quality, these performance and NFR metrics are also part of the code quality, i think it makes sense that they get reported and tracked in SonarQube.
Because, as you noted, SonarQube is designed for static code analysis, you're going to have a hard time with the 'virtual' resources route. Analysis looks at the directories and files in the source directory. No file, no SonarQube resource, and nowhere to attach metrics.
If you're determined to do this, then you should consider attaching your metrics at some aggregate level: module or project. Note that metric history isn't kept below the project level.
Alternately, you could attach these metrics to the test files themselves.
Keeping the historical data is another point, as last option I will keep the methods level metrics in a separate repository and write a SonarQube widget that displays these metrics, I made a prototype and that worked, used w2ui, I will lose SonarQube capability but for a first approach that will be fine