Skip to content

NiklasMehner/zap-sonar-plugin

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits
screenshots
screenshots
 
 
sonar-zap-plugin
sonar-zap-plugin
 
 
README.md
README.md
 
 
pom.xml
pom.xml
 
 

Repository files navigation

ZAP Plugin for SonarQube

Integrates OWASP ZAP reports into SonarQube v5.1 or higher.

About ZAP

OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.

It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.

ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

Screenshots

alt tag

Metrics

The plugin keeps track of the following statistics:

  • Total number of high, medium, low, and info severity findings

Additionally, the following metric is defined:

Identified Risk Score (IRS)

(high * 5) + (medium * 3) + (low * 1)

The IRS is simply a weighted measurement of the vulnerabilities identified during a scan. It does not measure the actual risk posed by the findings.

Compiling

$ mvn clean package

Installation

Copy the plugin (jar file) to $SONAR_INSTALL_DIR/extensions/plugins and restart SonarQube.

Plugin Configuration

A typical SonarQube configuraiton will have the following parameters. This example assumes the use of a Jenkins workspace, but can easily be altered for other CI/CD systems.

sonar.zaproxy.reportPath=${WORKSPACE}/zaproxy-report.xml
# Optional - specifies additional rules outside of what's included in the core
sonar.zaproxy.rulesFilePath=${WORKSPACE}/myrules.xml

History

The ZAP SonarQube Plugin is derived from the OWASP Dependency-Check SonarQube Plugin. Version 1.0 of the Dependency-Check plugin was forked by Polymont with the intent of creating a generic OWASP SonarQube plugin to support any OWASP project. The ZAP team wanted their own SonarQube plugin independent of any other project. In addition, a number of critical defects were discovered in the initial release of the Dependency-Check SonarQube plugin that were later fixed in subsequent releases, but never addressed in the generic OWASP version. The ZAP SonarQube Plugin is based on v1.0.3 of the Dependency-Check SonarQube plugin with ZAP-specific contributions by Polymont.

License

Permission to modify and redistribute is granted under the terms of the LGPLv3 license.

About

Integrates OWASP Zed Attack Proxy reports into SonarQube

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages

  • Java 91.1%
  • HTML 8.9%