Add PMD securty Rules

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Add PMD securty Rules

mnelli
Hi,
I would like to add these PMD security rules:
https://github.com/GDSSecurity/GDS-PMD-Security-Rules

to my Sonarqube (vers 5.1) PMD rules.

Is it possible?
How I have to do?

Thank you!
Reply | Threaded
Open this post in threaded view
|

Re: [sonar-dev] Add PMD securty Rules

andrew murren
Hi,
 
From a quick scan of the rules included in the GDS-PMD-Security-Rules plug in it looks like most if not all of the flaws are covered in the rules available in SonarQube already. For instance the SQL inject that the A1 - Injection rule looks for is covered by S2077. The crypto rules included in the FindSecBugs rules cover more than what the A7 - Insecure Cryptographic Storage rule covers.
 
You might want to take a look at the SonarQube rules marked with the tags 'security' and 'owasp-top 10' before trying to get the GDS-PMD-Security-Rules plug in to work.
 
Andy
 

On Fri, May 8, 2015 at 3:38 AM, mnelli <[hidden email]> wrote:
Hi,
I would like to add these PMD security rules:
https://github.com/GDSSecurity/GDS-PMD-Security-Rules

to my Sonarqube (vers 5.1) PMD rules.

Is it possible?
How I have to do?

Thank you!




--
View this message in context: http://sonarqube.15.x6.nabble.com/Add-PMD-securty-Rules-tp5035129.html
Sent from the SonarQube Developers mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email



Reply | Threaded
Open this post in threaded view
|

Re: [sonar-dev] Add PMD securty Rules

mnelli
I've take a look at the SonarQube security rules but when I try to verify a code with the SQL injection it don't find it.

For example
I have this code:

[...]
finder.setCodeSql("SELECT COUNT(*) AS NUM_RECORDS FROM ("+finder.getCodeSql()+")");
[...]

and I aspect that SONAR find the SQL Injection with this Rule:

Values passed to SQL commands should be sanitized
http://nemo.sonarqube.org/coding_rules#rule_key=squid%3AS2077

but it don't find it.

Why?

Thank you!

(SonarQube version 5.1)
Reply | Threaded
Open this post in threaded view
|

Re: [sonar-dev] Add PMD securty Rules

Nicolas Peru
Hi, 

Which API do you expect to find this in ? currently checks for this rule are made only in Hibernate and jdbc statements. Which API finder.setCodeSql is part of ? 

Cheers,

Nicolas PERU | SonarSource
Senior Developer
http://sonarsource.com


2015-05-08 16:24 GMT+02:00 mnelli <[hidden email]>:
I've take a look at the SonarQube security rules but when I try to verify a
code with the SQL injection it don't find it.

For example
I have this code:

[...]
finder.setCodeSql("SELECT COUNT(*) AS NUM_RECORDS FROM
("+finder.getCodeSql()+")");
[...]

and I aspect that SONAR find the SQL Injection with this Rule:

Values passed to SQL commands should be sanitized
http://nemo.sonarqube.org/coding_rules#rule_key=squid%3AS2077

but it don't find it.

Why?

Thank you!

(SonarQube version 5.1)



--
View this message in context: http://sonarqube.15.x6.nabble.com/Add-PMD-securty-Rules-tp5035129p5035156.html
Sent from the SonarQube Developers mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email



Reply | Threaded
Open this post in threaded view
|

Re: [sonar-dev] Add PMD securty Rules

mnelli
finder is a Java Bean where I set codeSql attribute (a String where i put part of a SQL code that come frome a form)

[...]
Finder finder = new Finder();
finder.setCodeSql = form.getCodeSqlInput();
[...]

finder.setCodeSql("SELECT COUNT(*) AS NUM_RECORDS FROM ("+finder.getCodeSql()+")");

and later in the code I have the

ResultSet rs = stmt.executeQuery(finder.getCodeSql);

but SonarQube doesn't identify the SQL injection that is present in the SQL code where I pass directly the parameter.

It is a normal JDBC statement...
But it is not find from sonarQube

Can you verify it?

thank you!