[sonar-dev] [VOTE] Release Fortify plugin 2.1

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

[sonar-dev] [VOTE] Release Fortify plugin 2.1

Julien HENRY
Hi,

I would like to release Fortify plugin 2.1.

Main change compared to previous version is that rule definitions are embedded in the plugin (so no more need to reference uncompressed rulepacks).


You can test using this SNAPSHOT:

Known issues
Mapping of Fortify vulnerabilities severity to SonarQube severity is very basic. Fortify filter templates are not considered.

Documentation

Vote open to everybody for 72 hours.

[ ] +1
[ ] +0
[ ] -1

Regards,

Julien

Reply | Threaded
Open this post in threaded view
|

Re: [sonar-dev] [VOTE] Release Fortify plugin 2.1

Steve Springett
Julien,

If rule definitions are embedded in the plugin, and HP Security Research releases four rulepack updates a year (which they do), how will the Sonar plugin handle rule definition updates?

The last rulepack update introduced several new categories of issue. How would something like this be handled?

—Steve





On April 30, 2015 at 9:34:32 AM, Julien HENRY ([hidden email]) wrote:

Hi,

I would like to release Fortify plugin 2.1.

Main change compared to previous version is that rule definitions are embedded in the plugin (so no more need to reference uncompressed rulepacks).


You can test using this SNAPSHOT:

Known issues
Mapping of Fortify vulnerabilities severity to SonarQube severity is very basic. Fortify filter templates are not considered.

Documentation

Vote open to everybody for 72 hours.

[ ] +1
[ ] +0
[ ] -1

Regards,

Julien

Reply | Threaded
Open this post in threaded view
|

Re: [sonar-dev] [VOTE] Release Fortify plugin 2.1

Julien HENRY
Hi Steve,

Like for other SonarQube plugin (checkstyle, PMD, ...) a new release of the SQ Fortify plugin will have to be done to embed updated rule definitions.

++

Julien

2015-04-30 18:15 GMT+02:00 Steve Springett <[hidden email]>:
Julien,

If rule definitions are embedded in the plugin, and HP Security Research releases four rulepack updates a year (which they do), how will the Sonar plugin handle rule definition updates?

The last rulepack update introduced several new categories of issue. How would something like this be handled?

—Steve





On April 30, 2015 at 9:34:32 AM, Julien HENRY ([hidden email]) wrote:

Hi,

I would like to release Fortify plugin 2.1.

Main change compared to previous version is that rule definitions are embedded in the plugin (so no more need to reference uncompressed rulepacks).


You can test using this SNAPSHOT:

Known issues
Mapping of Fortify vulnerabilities severity to SonarQube severity is very basic. Fortify filter templates are not considered.

Documentation

Vote open to everybody for 72 hours.

[ ] +1
[ ] +0
[ ] -1

Regards,

Julien


Reply | Threaded
Open this post in threaded view
|

Re: [sonar-dev] [VOTE] Release Fortify plugin 2.1

Julien HENRY
Vote has passed by lazy consensus. I'll continue with the release.

2015-04-30 18:28 GMT+02:00 Julien HENRY <[hidden email]>:
Hi Steve,

Like for other SonarQube plugin (checkstyle, PMD, ...) a new release of the SQ Fortify plugin will have to be done to embed updated rule definitions.

++

Julien

2015-04-30 18:15 GMT+02:00 Steve Springett <[hidden email]>:
Julien,

If rule definitions are embedded in the plugin, and HP Security Research releases four rulepack updates a year (which they do), how will the Sonar plugin handle rule definition updates?

The last rulepack update introduced several new categories of issue. How would something like this be handled?

—Steve





On April 30, 2015 at 9:34:32 AM, Julien HENRY ([hidden email]) wrote:

Hi,

I would like to release Fortify plugin 2.1.

Main change compared to previous version is that rule definitions are embedded in the plugin (so no more need to reference uncompressed rulepacks).


You can test using this SNAPSHOT:

Known issues
Mapping of Fortify vulnerabilities severity to SonarQube severity is very basic. Fortify filter templates are not considered.

Documentation

Vote open to everybody for 72 hours.

[ ] +1
[ ] +0
[ ] -1

Regards,

Julien