-
-
Notifications
You must be signed in to change notification settings - Fork 610
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add sonarqube output #288
Add sonarqube output #288
Conversation
travis keeps failing for silly |
The latest travis-ci run fails on the tip: https://travis-ci.org/securego/gosec/jobs/504930446.
Likely introduced by golang/go#24843 So I'm ok with merging this with the ci job failure. cc/ @MVrachev |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@@ -165,19 +165,19 @@ func loadRules(include, exclude string) rules.RuleList { | |||
return rules.Generate(filters...) | |||
} | |||
|
|||
func saveOutput(filename, format string, issues []*gosec.Issue, metrics *gosec.Metrics, errors map[string][]gosec.Error) error { | |||
func saveOutput(filename, format, rootPath string, issues []*gosec.Issue, metrics *gosec.Metrics, errors map[string][]gosec.Error) error { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure modifying the interface to achieve a truncated file path is the best solution here. Is there any specific reason for it? Sonarqube only recognize relative paths?
This is certainly something we can look at fixing though.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, sonarqube reports from the root of the project. I needed a way to remove the full path. Happy to refactor, if you can think of a better way of doing this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From:
{
"engineId": "gosec",
"ruleId": "G505",
"primaryLocation": {
"message": "Blacklisted import crypto/sha1: weak cryptographic primitive",
"filePath": "service/caching.go",
"textRange": {
"startLine": 5,
"endLine": 5
}
},
"type": "VULNERABILITY",
"severity": "MAJOR",
"effortMinutes": 5
}
output/formatter.go
Outdated
}, | ||
Type: "VULNERABILITY", | ||
Severity: getSonarSeverity(issue.Severity.String()), | ||
EffortMinutes: 5, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why hardcode a value here? We could potentially actually capture time elapsed here as part of the reporting process. (start_time, finish_time) to the stats area.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No reason, I just didn’t want to change your project too much when I actually have no idea how long it will take to fix. Since this is used to calculate technical debt in sonarqube, as in how long will it take to fix. 5 minutes seems better than zero, but could be hours since I wouldn't know the impact of the change to the users code.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My understanding is that this is an estimation for developers which indicates how long it would take to fix the issue. In this case, I don't see how we can measure it, therefore I am fine with a constant. Maybe in future, it can be defined per issue for a more granular estimation.
I would extract this in a constant with a clear meaning.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done.
Codecov Report
@@ Coverage Diff @@
## master #288 +/- ##
======================================
Coverage 56.3% 56.3%
======================================
Files 9 9
Lines 492 492
======================================
Hits 277 277
Misses 188 188
Partials 27 27 Continue to review full report at Codecov.
|
All open requests have been updated. |
bump |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like a good addition thanks!. I don't have access to sonarqube to make sure the integration works but have verified the output.
For Issue #287