FindSecBugs rules are not located in proper Security Category in SonarQube

[andrew2809]

I'm not sure if it's a bug or a feature. FindSecBugs contains security rules. They are visible in Security category as Others.
I expected to find them in fine grained category.
I.e.
"Potential JDBC Injection (Spring JDBC)"
https://find-sec-bugs.github.io/bugs.htm#SQL_INJECTION_SPRING_JDBC
should be in OWASP: Top 10 A1-Injection category.

[gtoison]

Hello,
The SpotBugs plugin uses RulesDefinitionXmlLoader from the SonarQube API to load rules from XML files. It looks like this class does not handle OWASP categories (it does not call the addOwaspTop10() method).
Given that RulesDefinitionXmlLoader was deprecated in SonarQube 9 I doubt that SonarSource will improve it at this point.

Eventually the plugin will need to move to a new way of loading rules but that's not an easy refactor

[andrew2809]

Hi,
Does it mean findbugs security bugs were never reported under 'OWASP Top 10' or were there some api changes recently ?
I am using Community Edition Version 8.9.2.

[gtoison]

It is possible to link rules definitions with security standards since SQ 7.3 according to: https://jira.sonarsource.com/browse/SONAR-10986
Before that rules had tags and that's what the SpotBugs plugin does, for instance you should find rule findsecbugs:SQL_INJECTION_JDBC under tag owasp-a1 in: https://<YOUR_SQ_SERVER>/sonarqube/coding_rules?tags=owasp-a1

I've looked a bit more in the way rules are created by this plugin and unfortunately there's no easy to add the security categories. I think I'll try asking if there's a way to improve/extends SonarQube's RulesDefinitionXmlLoader

[pethers]

Did a workaround in sonar-cloudformation-plugin https://github.com/Hack23/sonar-cloudformation-plugin/blob/master/src/main/java/com/hack23/sonar/cloudformation/CloudformationRulesDefinition.java , used tags in the xml.

Possible to use newRule.addCwe and newRule.addOwaspTop10 . Not perfect but it works.

[gtoison]

Ah yes, using the tags through reflection is a good idea.

Then I think that a prerequisite is to upgrade the tags from OWASP 2013 to OWASP 2017 (SonarQube apparently has not updated to OWASP 2021)
I'm not sure why PR #238 was not merged in the end.
@pethers do you want to give a try or shall I look into it?

[pethers]

Found some mappings https://blog.51sec.org/2018/02/owasp-top-10-2010-2013-2017.html

The file https://github.com/spotbugs/sonar-findbugs/blob/master/src/main/resources/org/sonar/plugins/findbugs/rules-findsecbugs.xml only contain owasp-a1, owasp-a3, owasp-a4, owasp-a6.

is findbug sec bugs using 2013 ?

Busy the next few days but will probably have time during the weekend to give a try.

But #238 looks promising so maybe better to look into why is wasn't merged.

[gtoison]

From what I've seen findbugs-sec is not really categorizing bugs (although some of them have links to the relevant category on the OWASP website)
The SpotBugs plugin uses the findbugs-sec messages.xml and transforms it into XML files using a Groovy script. The OWASP tags are added by the Groovy script

I've also seen that SonarSource plans to migrate to OWASP 2021 in SonarQube 9.4
I'm not sure how we could support OWASP 2017 and 2021 at the same time, depending on the SQ version