SonarQube Professional Integration
The SonarQube and SonarCloud integration in OpenRMF® Professional allows you to import vulnerabilities found during static software scans into your system package for tracking purposes.
Generate a Login Token
To use the SonarQube integration you must have a login token. To get this, click the far right icon for your profile and then click My Account. On that page, click the Security tab and you will see all Tokens generated. You can enter a unique token name (i.e. OpenRMFPro) and click the Generate button. You must copy this token when presented to use it later as you cannot look this up later. Use this token for the integration setup for SonarQube.
See the image below for direction on how to get to the page to generate a token.
Enabling the Integration
To enable the integration, go to the Integrations and Plugins page and click the SonarQube option. The form shown below appears asking for the Root SonarQube URL, the organization to use if any, as well as the API token (generated from your profile) you can use to log in and import scan data.
You can test the SonarQube integration with the Test button before saving it. Please make sure the Test is successful before saving your integration information.
You can always return back and delete the integration as well. If you return to edit the integration you MUST include the password/token again as we do not transfer that back and forth to the Integration page.
If this is a self-signed certificate HTTPS site you can click the “Allow HTTPS Connection” option so it accepts the HTTPS connection. You may need to do this if on a private network, a disconnected network, or using a self-signed certificate or a custom certificate authority.
Now that the integration is setup, return back to your system package dashboard and see there is an Import option under the Other Technology button menu.
Adding SonarQube Projects for Importing
To add projects to allow importing, once the integration is tested and saved you can add a Project Key and Branch Name (if required) to the form just under the integration settings. Click the Save button and the “Current SonarQube Projects” list is updated with the latest data added.
Note that for SonarQube Community Edition the branch name is not allowed or used. If for other versions including SonarCloud, if you omit the branch name the default branch is used.
To remove them from the available listing, click the red “X” next to the project. Note this does not remove any results imported. Just the availability to import again from that project.
Importing Vulnerabilities from SonarQube
To view detailed information on importing vulnerability data please visit the Importing Technology Vulnerability Scans Help.