SonarQube 不显示 Bandit 的 Python 安全漏洞报告
SonarQube does not display Bandit's Python security vulnerability report
概述
我正在使用 SonarQube 7.4.0.18908 收集代码覆盖率并对 Python 3.6 项目执行静态代码分析。服务器在 AWS 中是 运行。事情按预期进行(见下面的屏幕截图)。
现在我想为项目添加安全扫描。我"chose"Bandit, but really that seems to be the only tool which currently integrates with SonarQube for Python, as described in Import Bandit Issues Reports。 SonarPython插件支持Bandit分析,安装在SonarQube服务器上。要在本地生成漏洞报告,我使用 Bandit 1.5.1 pip3 模块。
问题
漏洞报告未显示 - 甚至可能未上传 - 到 SonarQube(参见下面的相同屏幕截图)。
重现步骤
我将这一行添加到项目的 sonar-project.properties 文件中:
sonar.python.bandit.reportPaths=bandit-report.json
然后我运行报告:
pip3 install bandit==1.5.1
bandit --format json --output bandit-report.json --recursive src
我确认 bandit-report.json 包含正确的数据:
{
"errors": [],
"generated_at": "2019-01-30T14:49:18Z",
"metrics": {
...
"results": [
{
"code": "8 def prepare_df_for_comparison(df, name, ignore_columns=None, sort_columns=None):\n9 assert df is not None\n10 \n11 # upper-case all columns\n12 df.columns = [x.upper() for x in df.columns]\n",
"filename": "./build/lib/tasks/compare_df.py",
"issue_confidence": "HIGH",
"issue_severity": "LOW",
"issue_text": "Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.",
...
然后我发布到SonarQube:
sonar-scanner
扫描仪的输出:
INFO: Scanner configuration file: NONE
INFO: Project root configuration file: /root_dir/sonar-project.properties
INFO: SonarQube Scanner 3.2.0.1227
INFO: Java 1.8.0_191 Oracle Corporation (64-bit)
INFO: Linux 4.9.125-linuxkit amd64
INFO: User cache: /root/.sonar/cache
INFO: SonarQube server 7.4.0
INFO: Default locale: "en_US", source code encoding: "UTF-8" (analysis is platform dependent)
INFO: Publish mode
INFO: Load global settings
INFO: Load global settings (done) | time=126ms
INFO: Server id: <snip>
INFO: User cache: /root/.sonar/cache
INFO: Load/download plugins
INFO: Load plugins index
INFO: Load plugins index (done) | time=102ms
INFO: Load/download plugins (done) | time=130ms
INFO: Loaded core extensions:
INFO: Process project properties
INFO: Load project repositories
INFO: Load project repositories (done) | time=84ms
INFO: Load quality profiles
INFO: Load quality profiles (done) | time=33ms
INFO: Load active rules
INFO: Load active rules (done) | time=554ms
INFO: Load metrics repository
INFO: Load metrics repository (done) | time=27ms
INFO: Project key: security-scan
INFO: Project base dir: /root_dir/src
INFO: ------------- Scan Security Scan
INFO: Base dir: /root_dir/src
INFO: Working dir: /root_dir/src/.scannerwork
INFO: Source paths: config, dag_factories, operators, tasks
INFO: Test paths: tests
INFO: Source encoding: UTF-8, default locale: en_US
INFO: Load server rules
INFO: Load server rules (done) | time=187ms
INFO: Language is forced to py
INFO: Index files
INFO: Excluded sources:
INFO: **/*.pyc
INFO: **/*.ini
INFO: Excluded tests:
INFO: **/*.pyc
INFO: 95 files indexed
INFO: 82 files ignored because of inclusion/exclusion patterns
INFO: Quality profile for py: Sonar way
INFO: Sensor Python Squid Sensor [python]
WARN: Metric 'comment_lines_data' is deprecated. Provided value is ignored.
INFO: Sensor Python Squid Sensor [python] (done) | time=2831ms
INFO: Sensor PythonXUnitSensor [python]
INFO: Sensor PythonXUnitSensor [python] (done) | time=318ms
INFO: Sensor JaCoCo XML Report Importer [jacoco]
INFO: Sensor JaCoCo XML Report Importer [jacoco] (done) | time=6ms
INFO: Sensor SonarJavaXmlFileSensor [java]
INFO: Sensor SonarJavaXmlFileSensor [java] (done) | time=1ms
INFO: Sensor Zero Coverage Sensor
INFO: Sensor Zero Coverage Sensor (done) | time=54ms
INFO: SCM Publisher is disabled
INFO: 3 files had no CPD blocks
INFO: Calculating CPD for 61 files
INFO: CPD calculation finished
INFO: Analysis report generated in 2349ms, dir size=617 KB
INFO: Analysis reports compressed in 15384ms, zip size=233 KB
INFO: Analysis report uploaded in 108ms
INFO: ANALYSIS SUCCESSFUL, you can browse https://sonarqube.mydomain/dashboard?id=security-scan
INFO: Note that you will be able to access the updated dashboard once the server has processed the submitted analysis report
INFO: More about the report processing at https://sonarqube.mydomain/api/ce/task?id=<snip>
INFO: Task total time: 26.187 s
INFO: ------------------------------------------------------------------------
INFO: EXECUTION SUCCESS
INFO: ------------------------------------------------------------------------
INFO: Total time: 27.558s
INFO: Final Memory: 16M/295M
INFO: ------------------------------------------------------------------------
这是完整的 sonar-project.properties 文件:
sonar.host.url=https://sonarqube.mydomain
sonar.scm.disabled=true
sonar.projectKey=security-scan
sonar.projectName=Security Scan
sonar.projectVersion=1.0
sonar.language=py
sonar.sources=src
sonar.tests=tests
sonar.python.coverage.reportPath=coverage.xml
sonar.python.bandit.reportPaths=bandit-report.json
sonar.exclusions=**/*.pyc,**/*.ini
sonar.test.exclusions=**/*.pyc
但是在 SonarQube UI 的任何地方我都看不到这份报告。我错过了什么?
相关问题
Python code for security analysis using Bandit.
这是我能在 SO 上找到的唯一相关问题。我的问题是不同的。正如我提到的,Bandit 报告是在本地正确生成的。但问题似乎出在上传到 SonarQube 上。
Empty vulnerability report screenshot
我们最近在 SonarPython 中添加了对 Bandit 的支持。
您是否在 SonarQube 7.4 实例中使用 SonarPython 1.11?
您可以在 $SQ_HOME/extensions/plugins 中查看。如果不是这种情况,只需将 sonar-python-plugin-xxx.jar 替换为 1.11 即可解决您的问题。
https://docs.sonarqube.org/display/PLUG/SonarPython
谢谢
您必须在您的项目根目录中添加一个 .bandit 文件并在那里定义规则。
然后你还需要将 pip install bandit 安装到你的环境中。
希望对你有效。这种方式对我有用,它会生成一份由规则定义的报告。
概述
我正在使用 SonarQube 7.4.0.18908 收集代码覆盖率并对 Python 3.6 项目执行静态代码分析。服务器在 AWS 中是 运行。事情按预期进行(见下面的屏幕截图)。
现在我想为项目添加安全扫描。我"chose"Bandit, but really that seems to be the only tool which currently integrates with SonarQube for Python, as described in Import Bandit Issues Reports。 SonarPython插件支持Bandit分析,安装在SonarQube服务器上。要在本地生成漏洞报告,我使用 Bandit 1.5.1 pip3 模块。
问题
漏洞报告未显示 - 甚至可能未上传 - 到 SonarQube(参见下面的相同屏幕截图)。
重现步骤
我将这一行添加到项目的 sonar-project.properties 文件中:
sonar.python.bandit.reportPaths=bandit-report.json
然后我运行报告:
pip3 install bandit==1.5.1
bandit --format json --output bandit-report.json --recursive src
我确认 bandit-report.json 包含正确的数据:
{
"errors": [],
"generated_at": "2019-01-30T14:49:18Z",
"metrics": {
...
"results": [
{
"code": "8 def prepare_df_for_comparison(df, name, ignore_columns=None, sort_columns=None):\n9 assert df is not None\n10 \n11 # upper-case all columns\n12 df.columns = [x.upper() for x in df.columns]\n",
"filename": "./build/lib/tasks/compare_df.py",
"issue_confidence": "HIGH",
"issue_severity": "LOW",
"issue_text": "Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.",
...
然后我发布到SonarQube:
sonar-scanner
扫描仪的输出:
INFO: Scanner configuration file: NONE
INFO: Project root configuration file: /root_dir/sonar-project.properties
INFO: SonarQube Scanner 3.2.0.1227
INFO: Java 1.8.0_191 Oracle Corporation (64-bit)
INFO: Linux 4.9.125-linuxkit amd64
INFO: User cache: /root/.sonar/cache
INFO: SonarQube server 7.4.0
INFO: Default locale: "en_US", source code encoding: "UTF-8" (analysis is platform dependent)
INFO: Publish mode
INFO: Load global settings
INFO: Load global settings (done) | time=126ms
INFO: Server id: <snip>
INFO: User cache: /root/.sonar/cache
INFO: Load/download plugins
INFO: Load plugins index
INFO: Load plugins index (done) | time=102ms
INFO: Load/download plugins (done) | time=130ms
INFO: Loaded core extensions:
INFO: Process project properties
INFO: Load project repositories
INFO: Load project repositories (done) | time=84ms
INFO: Load quality profiles
INFO: Load quality profiles (done) | time=33ms
INFO: Load active rules
INFO: Load active rules (done) | time=554ms
INFO: Load metrics repository
INFO: Load metrics repository (done) | time=27ms
INFO: Project key: security-scan
INFO: Project base dir: /root_dir/src
INFO: ------------- Scan Security Scan
INFO: Base dir: /root_dir/src
INFO: Working dir: /root_dir/src/.scannerwork
INFO: Source paths: config, dag_factories, operators, tasks
INFO: Test paths: tests
INFO: Source encoding: UTF-8, default locale: en_US
INFO: Load server rules
INFO: Load server rules (done) | time=187ms
INFO: Language is forced to py
INFO: Index files
INFO: Excluded sources:
INFO: **/*.pyc
INFO: **/*.ini
INFO: Excluded tests:
INFO: **/*.pyc
INFO: 95 files indexed
INFO: 82 files ignored because of inclusion/exclusion patterns
INFO: Quality profile for py: Sonar way
INFO: Sensor Python Squid Sensor [python]
WARN: Metric 'comment_lines_data' is deprecated. Provided value is ignored.
INFO: Sensor Python Squid Sensor [python] (done) | time=2831ms
INFO: Sensor PythonXUnitSensor [python]
INFO: Sensor PythonXUnitSensor [python] (done) | time=318ms
INFO: Sensor JaCoCo XML Report Importer [jacoco]
INFO: Sensor JaCoCo XML Report Importer [jacoco] (done) | time=6ms
INFO: Sensor SonarJavaXmlFileSensor [java]
INFO: Sensor SonarJavaXmlFileSensor [java] (done) | time=1ms
INFO: Sensor Zero Coverage Sensor
INFO: Sensor Zero Coverage Sensor (done) | time=54ms
INFO: SCM Publisher is disabled
INFO: 3 files had no CPD blocks
INFO: Calculating CPD for 61 files
INFO: CPD calculation finished
INFO: Analysis report generated in 2349ms, dir size=617 KB
INFO: Analysis reports compressed in 15384ms, zip size=233 KB
INFO: Analysis report uploaded in 108ms
INFO: ANALYSIS SUCCESSFUL, you can browse https://sonarqube.mydomain/dashboard?id=security-scan
INFO: Note that you will be able to access the updated dashboard once the server has processed the submitted analysis report
INFO: More about the report processing at https://sonarqube.mydomain/api/ce/task?id=<snip>
INFO: Task total time: 26.187 s
INFO: ------------------------------------------------------------------------
INFO: EXECUTION SUCCESS
INFO: ------------------------------------------------------------------------
INFO: Total time: 27.558s
INFO: Final Memory: 16M/295M
INFO: ------------------------------------------------------------------------
这是完整的 sonar-project.properties 文件:
sonar.host.url=https://sonarqube.mydomain
sonar.scm.disabled=true
sonar.projectKey=security-scan
sonar.projectName=Security Scan
sonar.projectVersion=1.0
sonar.language=py
sonar.sources=src
sonar.tests=tests
sonar.python.coverage.reportPath=coverage.xml
sonar.python.bandit.reportPaths=bandit-report.json
sonar.exclusions=**/*.pyc,**/*.ini
sonar.test.exclusions=**/*.pyc
但是在 SonarQube UI 的任何地方我都看不到这份报告。我错过了什么?
相关问题
Python code for security analysis using Bandit.
这是我能在 SO 上找到的唯一相关问题。我的问题是不同的。正如我提到的,Bandit 报告是在本地正确生成的。但问题似乎出在上传到 SonarQube 上。
Empty vulnerability report screenshot
我们最近在 SonarPython 中添加了对 Bandit 的支持。
您是否在 SonarQube 7.4 实例中使用 SonarPython 1.11? 您可以在 $SQ_HOME/extensions/plugins 中查看。如果不是这种情况,只需将 sonar-python-plugin-xxx.jar 替换为 1.11 即可解决您的问题。
https://docs.sonarqube.org/display/PLUG/SonarPython
谢谢
您必须在您的项目根目录中添加一个 .bandit 文件并在那里定义规则。
然后你还需要将 pip install bandit 安装到你的环境中。 希望对你有效。这种方式对我有用,它会生成一份由规则定义的报告。