Skip to content

This repository contains a SonarQube Plugin that detects cryptographic assets in source code and generates CBOM.

License

Notifications You must be signed in to change notification settings

IBM/sonar-cryptography

Sonar Cryptography Plugin

License Current Release

This repository contains a SonarQube Plugin that detects cryptographic assets in source code and generates CBOM.

Version compatibility

Plugin Version SonarQube Version
1.3.2 and up SonarQube 9.8 and up
1.2.0 to 1.3.1 SonarQube 9.8 and 10.4

Supported languages and libraries

Language Cryptographic Library Coverage
Java JCA 100%
BouncyCastle (light-weight API) 100%1
Python pyca/cryptography 100%

Note

The plugin is designed in a modular way so that it can be extended to support additional languages and recognition rules to support more libraries.

Installation

Note

To run the plugin, you need a running SonarQube instance with one of the supported versions. If you don't have one but want to try the plugin, you can use the included Docker Compose to set up a development environment. See here for instructions.

Copy the plugin (the JAR file from the latest releases) to $SONARQUBE_HOME/extensions/plugins and restart SonarQube (more).

Using

The plugin provides new inventory rules (IBM Cryptography Repository) regarding the use of cryptography for the supported languages. If you enable these rules, a source code scan creates a cryptographic inventory by creating a CBOM with all cryptographic assets and writing a cbom.json to the scan directory.

Add Cryptography Rules to your Quality Profile

This plugin incorporates rules specifically focused on cryptography.

To generate a Cryptography Bill of Materials (CBOM), it is mandatory to activate at least one of these cryptography-related rules.

Activate Rules Crypto Rules

As of the current version, the plugin contains one single rule for creating a cryptographic inventory. Future updates may introduce additional rules to expand functionality.

Scan Source Code

Now you can follow the SonarQube documentation to start your first scan.

Visualizing your CBOM

Once you have scanned your source code with the plugin, and obtained a cbom.json file, you can use IBM's CBOM Viewer service to know more about it. It provides you with general insights about the cryptography used in your source code and its compliance with post-quantum safety. It also allows you to explore precisely each cryptography asset and its detailed specification, and displays where it appears in your code.

Help and troubleshooting

If you encounter difficulties or unexpected results while installing the plugin with SonarQube, or when trying to scan a repository, please check out our guide Testing your configuration and troubleshooting to run our plugin with step-by-step instructions.

Contribution Guidelines

If you'd like to contribute to Sonar Cryptography Plugin, please take a look at our contribution guidelines. By participating, you are expected to uphold our code of conduct.

We use GitHub issues for tracking requests and bugs. For questions start a discussion using GitHub Discussions.

License

Apache License 2.0

Footnotes

  1. We only cover the BouncyCastle light-weight API according to this specification