I built my first SonarQube plugin!
Recently, my company has an initiative to integrate SAST tool into CICD pipeline. We have been looking at Fortify, SonarQub and etc. Fortunately, I am taking part in the SonarQube research part :)
We first discovered CNES plugin but it does not really covered all the cases that we wanted to see. Therefore, we decided to re-invent the wheel!
Actually there is a built in report tool, unfortunately, it only available in the Enterprise Edition As a developer myself, I am more bias to the community basis version and FREE! :)
I pulled the CNES report, to seek a chance to amend the report. However, the current (as of end April 2022) version doesnt support OWASP 2021 report, it only by the upgraded (I believe is 9.x) version. Then, I go ahead and pull the sonar custom plugin example repo, study and learn about it.
I discovered that the Java code is a wrapper to plug into sonarqube system, which I believe is based on Java too. (of course they use other plugins like elasticsearch, etc). I also discovered that there is a bunch of RESTful Web Api available out of the box! Although it is very confusing in certain case, I managed to find out by visiting different pages in the SonarQube dashboard itself.
Sample Report: Unfortunately, it contains client's data, I cant show it here.. But, no worry, just get your hand dirty and pull my code :) You will be able to see how it works!