Skip to content
/ zap-sonar-plugin Public
forked from OtherDevOpsGene/zap-sonar-plugin

Integrates OWASP Zed Attack Proxy reports into SonarQube

License

GPL-3.0 license
1 star 29 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

newlight77/zap-sonar-plugin

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

145 Commits
conf
conf
 
 
example
example
 
 
scripts
scripts
 
 
src
src
 
 
.gitignore
.gitignore
 
 
.mdl-style.rb
.mdl-style.rb
 
 
.mdlrc
.mdlrc
 
 
.pre-commit-config.yaml
.pre-commit-config.yaml
 
 
.travis.yml
.travis.yml
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
LICENSE.txt
LICENSE.txt
 
 
README.md
README.md
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 
pom.xml
pom.xml
 
 

Repository files navigation

ZAP Plugin for SonarQube 7.x LTS

Build Status Codacy Badge Maintainability DepShield Badge Known Vulnerabilities deepcode

Integrates OWASP ZAP reports into SonarQube v7.x or higher. The current LTS version of SonarQube is target.

About ZAP

OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.

People with a wide range of security experience can use ZAP and making it ideal for developers and functional testers new to penetration testing.

ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

Installation

Copy the plugin (jar file) to $SONAR_INSTALL_DIR/extensions/plugins and restart SonarQube.

Plugin Configuration

A typical SonarQube configuration will have the following parameters. This example assumes the use of a Jenkins workspace, but can easily be altered for other CI/CD systems.

sonar.zaproxy.reportPath=${WORKSPACE}/zaproxy-report.xml
sonar.zaproxy.htmlReportPath=${WORKSPACE}/zaproxy-htmlReport.html
# Optional - specifies additional rules outside of what's included in the core
sonar.zaproxy.rulesFilePath=${WORKSPACE}/myrules.xml

Example of automation with a CI toolchain

cd example

docker-compose up -d sonarqube
sleep 120
# wait 2 minute for sonarqbue to start

export PLUGIN_VERSION=2.2.0
wget https://github.com/Coveros/zap-sonar-plugin/releases/download/sonar-zap-plugin-${PLUGIN_VERSION}/sonar-zap-plugin-${PLUGIN_VERSION}.jar -O ./plugin/sonar-zap-plugin-${PLUGIN_VERSION}.jar

export APP_URL_UNDER_TEST='your-url-under-test'
docker-compose up owasp-zap
docker-compose up sonar-scanner

If you wish to run the zap tool within the CI pipeline:

  • you may refet to the example
  • You need to have docker and docker-compose installed
  • You may refer to .gitlab-ci.yml if you wish to run on Gitlab CI

History

The ZAP SonarQube Plugin is derived from the OWASP Dependency-Check SonarQube Plugin. Version 1.0 of the Dependency-Check plugin was forked by @polymont with the intent of creating a generic OWASP SonarQube plugin to support any OWASP project. The ZAP team wanted their own SonarQube plugin independent of any other project. In addition, a number of critical defects were discovered in the initial release of the Dependency-Check SonarQube plugin that were later fixed in subsequent releases, but never addressed in the generic OWASP version. The ZAP SonarQube Plugin is based on v1.0.3 of the Dependency-Check SonarQube plugin with ZAP-specific contributions by @polymont.

License

Permission to modify and redistribute is granted under the terms of the LGPLv3 license.

About

Integrates OWASP Zed Attack Proxy reports into SonarQube

Topics

plugin docker devops zap sonar devsec

Resources

Readme

License

GPL-3.0 license
Activity

Stars

1 star

Watchers

2 watching

Forks

0 forks
Report repository

Releases

10 tags

Packages

No packages published

Languages

  • HTML 72.9%
  • Java 21.5%
  • JavaScript 5.3%
  • Other 0.3%