SonarQube Connector Guide

Summary: How to set up and use the SonarQube connector in Ivanti Neurons.

Overview

SonarQube is an on-premises solution for code quality and security service. SonarQube operates as a static code analyzer that discovers security and quality issues in source code by interacting directly with the repositories.

Ivanti Neurons provides an API-based connector that integrates with SonarQube, enabling customers to bring their SAST findings. This connector allows customers to gain visibility into their overall risk due to vulnerabilities in their source code to allow a more straightforward, efficient way to manage those vulnerabilities.

User Prerequisites/SonarQube Setup

SonarQube is an on-premises solution. Ivanti Neurons requires a user account with the following access to communicate with and pull data from SonarQube.

  • A user with, at minimum, read access to scan results and their associated issues. The user must also be allowed access to SonarQube API endpoints.

  • As SonarQube is an on-premises solution, for it to communicate with Ivanti Neurons, we must set up a RiskSense On-Site Application (ROSA) OVA. More information on ROSA is available here.

SonarQube Connector API Calls

The following API calls are performed during a connector run to pull security vulnerabilities from SonarQube into Ivanti Neurons.

API Type

Endpoint

Authentication

/api/authentication/validate

Fetch List of Projects Keys

/api/components/search

Fetch Analysis date for each project

/api/components/show

Fetch the list of Directories for each project

/api/components/tree

Fetch the list of Issues for each directory

/api/issues/search

Fetch the list of Rules for the organization

/api/rules/search

Fetching the SonarQube User Token

First, log in to your SonarQube instance with the designated user account. Navigate to My Account > Security. Enter the token name and click the Generate button.

SonarQube Connector - Generate User Token

Copy the user token, as it is only displayed once. Use this token for API authentication.

Configuring the SonarQube Connector in Ivanti Neurons

Navigate to the Automate > Integrations page.

Navigation - Automation - Integrations

Using the search bar in the upper-right corner of the Integrations page, type SonarQube to find the connector.

SonarQube Connector - Search for Connector

Locate the SonarQube card on the page and click Configuration.

SonarQube Connector - Configuration Button Location

In the new window under Connection, complete the required fields, as described below.

  • Name: The connector's name.

  • URL: The URL to access SonarQube Instance

  • UserToken: UserToken retrieved from SonarQube instance, as described here.

  • Organization key: The default value for this field is default-organization. If the user doesn't provide any value, Ivanti Neurons will look for default-organization as a key.

  • SSL: Optional instance SSL certificate in base64 format

SonarQube Connector - Connection Window

Click the Test Credentials button to ensure the credentials are correct and have the necessary access to make SonarQube API calls.

SonarQube Connector - Test Credentials

Under Schedule, you can configure the desired schedule for the connector to retrieve results from the SonarQube instance and optionally select the Oldest Scan Data Pull configuration.

The Oldest Scan Data Pull drop-down provides users the flexibility to pull the oldest reports from the last 30, 60, 90, 180 days, and 1 year.

SonarQube Connector - Schedule Section

Under Connector Specific Options, select the required options from the list.

Users have the option to ingest the selected SonarQube findings. Ivanti Neurons can ingest more than one finding type.

  • Projects: Clicking the All Projects radio button allows the user to pull all projects under the organization. To pull specific projects, click the Select Projects radio button. Once selected, Ivanti Neurons makes a dynamic call to SonarQube to fetch all associated projects. Users can choose more than one project, as well.

  • Ingest Findings: The user can ingest selected findings from SonarQube. More than one type of finding can also be ingested at once.

SonarQube Connector - Connector Specific Options

Users can optionally turn on Enable auto URBA (Update Remediation by Assessment).

On marking the Create Assets that do not have vulnerabilities options, Ivanti Neurons will create applications with zero findings. This option will be selected by default, and the user can opt to turn it off.

Click the Save button to save the connector's configuration and create the connector. Once saved, the connector is now visible on the Integrations page under Currently Configured Integrations.

Clicking the History button displays the connector details for each pull. The Sync button allows users to perform on-demand sync. The Edit button allows the user to edit the connector configuration. The Delete button allows the user to delete the connector.

SonarQube Connector - Configured Connector

Once files have been processed on the Uploads page, view the ingested data by navigating to the Applications and Application Findings pages.

Mapping SonarQube fields in Ivanti Neurons

This table showcases the high-level mapping of SonarQube fields in Ivanti Neurons.

Ivanti Neurons Fields

SonarQube Fields

Scanner Severity

rules -> severity

Normalized Severity

The SonarQube Severity scale: Blocker, Critical, Major, Minor, and Info.

Ivanti Neurons converts this Severity scale into a scale from 0-10 using specific logic. Contact Ivanti Neurons Support for more information.

Scanner Plugin

rules -> key

Application Name

ProjectName

Plugin Source Status

issues -> status

Ivanti Neurons Tags

The following fields from SonarQube are converted into Ivanti Neurons tags. Use these tags for searching, automating playbooks, and visualizing in Ivanti Neurons Dashboards.

  • Organization - This tag name is prefixed with the field name to ease the searching process.

  • SysTags

  • Tags

  • Resolution

Common Fields in Ivanti Neurons

The following fields in Ivanti Neurons are defined for SonarQube, along with their default values.

  • The Scanner Name will be SonarQube.

  • The Finding Type will be SAST.