Context

This page is aimed to to review current configuration of SonarCloud security scanning (including what rules and checks are being used now) and propose more checks that should be added to improve an efficiency of security scanning.

Current state

Please refer to https://sonarcloud.io/organizations/folio-org/projects?view=visualizations&visualization=security for SonarCloud dashboards.

Statistics

Current statistics is shown on the picture below. Currently, 207 modules are included in project, and only 9 of them have vulnerabilities (refer to https://docs.sonarqube.org/latest/user-guide/metric-definitions/ and https://stackoverflow.com/questions/44652526/how-sonarqube-a-b-c-d-and-e-rating-calculated regarding security rating metrics).

Brief overview of modules with vulnerabilities:

• E - mod-marccat - is deprecated and should be deleted from SonarCloud - how to do that?
• E - raml-module-builder (code smell, vulnerability, not covered by tests)
• E - Vert.x MySQL/PostgreSQL Client is actually not a module - why it's here? shouldn't it be removed?
• E - mod-inventory (code smell, vulnerability)
• E - mod-invoice (vulnerability)
• D - mod-camunda (code smell, vulnerability, not covered by tests; last update was 5 months ago)
• D - edge-inn-reach (code smell, vulnerability)
• B - cql2pgjson-proj

Rules in use currently

All the configured rules are available on https://sonarcloud.io/organizations/folio-org/rules . Currently all the rules are grouped into 4 categories:

• OWASP Top 10
• SANS Top 25 - with that, it's stated that SANS Top 25 is outdated and "The SANS Top 25 report is based on outdated statistics and should no longer be used. Instead, we recommend using the CWE Top 25".
  • does this mean it can be switched off safely?
• CWE (Common Weakness Enumeration) is a community-developed list of software and hardware weakness types
  • Refer to https://cwe.mitre.org/top25/archive/2021/2021_cwe_top25.html for a 2021 CWE Top 25 Most Dangerous Software Weaknesses - it contains a list of the most common and impactful issues experienced over the previous two calendar years. All mentioned CWEs can be found in SonarCloud but not all of them have rules configured - does this mean that there are no any rules for them, or that rules exist but not added to SonarCloud?
• SonarSource rules set

Is these rules set efficient enough? Actually, all the rules have tags and can be explored via https://rules.sonarsource.com/java/tag by tags. E.g., there are currently 114 cwe rules for Java, etc. So, as per brief review of rules sets and some information from https://community.sonarsource.com/t/addition-to-owasp-top-10-rule-sets/35561 , Sonarcloud rules cover pretty wide list of known vulnerabilities, and I see no other sources of additional security rules.

What rules are configured now? - https://sonarcloud.io/organizations/folio-org/rules

How many vulnerabilities and security issues are found now? Statistics per level

Are there any false positive cases, or cases that are to be excluded?

Are there any reported issues which have to be solved asap?

Is security scan outcome considered in Quality gate?

Statistics for Embold (https://embold.io/)

mod-remote-storage

mod-audit

mod-invoice

Target state

Rules set recommendations can be found on

• Internet - https://sonarcloud.io/code-security/ and any available recommendations
• EBSCO
• EPAM Security Competency Center

What new rules can be added or what existing rules can be removed?

According to the results of Embold software stated above, new rule can be added: Resource leak. More information here: https://rules.sonarsource.com/java/tag/leak/RSPEC-2095

Does it make sense to plug-in other tools (e.g. FindBugs), or create FOLIO-custom rules?

Statistics for new rules set?

How to evaluate improvements?

• Coverage in current vs. target state
• Vulnerabilities found in current vs. target state
• Percentage of false positive