SonarQube, a popular open-source code quality tool that also performs security analysis, can be a great fit for most teams and we do not discourage its usage. However, it will fall short for teams that consider security an important requirement and will have to be complemented or replaced by stronger security analysis tools.
Table of contents
What is SonarQube
SonarQube was born as a source code quality analysis tool and then quickly became one of the most used DevOps tools to obtain advice on coding best practices, convention, and code performance. More recently in 2018, some security features were added to it. Over time, the popularity of SonarQube as a security tool has also increased, driven by the general adoption of Application Security Testing (AST) tools and higher awareness of the importance of releasing secure code.
SonarQube comes as an open-source version, and several commercial offerings, including an enterprise version.
SonarQube for AppSec
SonarQube includes a collection of static analysis (SAST) rules to find security vulnerabilities in the code of the applications, but SonarQube is not a solution built exclusively for security analysis. For reference, out of 600+ Java rules, less than 50 rules are considered security vulnerabilities.
Static analysis (SAST) works by looking at the source code of the application and simulating the execution of the application to look for suspicious patterns that might indicate a security risk. SonarQube uses static taint tracking, which helps to find some risks with more nuance than simple regular expression matching, but it is well known to produce a large number of false positives that must be manually validated by an expert before they are helpful to the developer.
Some of the advanced static data flow techniques are not available in the open-source version and require a paid enterprise license subscription.
Should your team use SonarQube?
The modern software development process is a complex operation that requires multiple teams and tools. Each application has its own level of stability, performance, security requirements depending on the business use case.
In this context, it is difficult to broadly recommend or discourage specific tools. Let’s take a look at the pros and cons of SonarQube as a security analysis tool, and provide some general guidelines.
- Broad language support:
SonarQube supports more than 25 programming languages. However, some of the languages are only available in the enterprise version.
- Long time open-source project:
The SonarQube brand is trusted by many teams and it has been validated. It is one of the most recommended free application security testing solutions. It is easy to download and experiment to evaluate fit.
- Many integrations:
Sonarqube can be easily integrated into most CI/CD pipelines, IDEs, and DevOps toolchains.
- False positives and low detection rate:
According to the OWASP Benchmark, a scientific way to measure the accuracy of security tools, SonarQube reports almost 20% false positives. See the OWASP Benchmark section for more details.
- Scan-based approach:
SonarQube works by scanning the code offline. This process is slow if the project is complex, and it introduces delays in the development process.
- Access to the source code is required:
SonarQube needs direct access to the source code of the application. This means that it can not validate precompiled dependencies such as open-source packages, legacy code, and modules provided by external partners.
- Static results are quickly outdated:
The moment the application changes, the SonarQube results are outdated and a new scan process must be executed. This frustrates everyone because nobody wants to waste time on results that might have already changed.
- Not applicable to Production systems:
Due to the scan approach and the need to have access to the source code, SonarQube is not applicable to production systems.
Summary: some general guidelines about Sonarqube as an AppSec tool
- SonarQube can add value to your SDLC:
Being well tested, free of cost, and open-source, SonarQube will add value to most teams, so it is a safe addition to almost all DevOps chains, however…
- SonarQube will require configuration and triaging:
In general, SAST approaches require rule configuration, tuning, and validation of results. Not to mention long scans of hours and even days of duration. This means that some resources will have to be reserved for the operation of SonarQube.
- SonarQube will miss some serious risks:
If security is a high priority for the team, additional security tools should be used on top of SonarQube. Many risks are only observable when the application is running, so the recommendation is to use other approaches than the static analysis technique.
SonarQube vs Hdiv Detection (IAST)
The table below summarizes the key differences between the two approaches. Some of the most important aspects we would like to highlight are:
Hdiv and the passive IAST approach
From a technology perspective, Hdiv Detection (IAST) is a passive Interactive Application Security Testing (IAST) solution. This means that there is no need to scan nor attack the application because regular traffic is enough to perform the security analysis. Also, the combination of runtime and static visibility means that the accuracy is ultra-high, thanks to having the full context of how the application truly works.
Advanced security features
Some application security risks can not be detected by just looking at the code of the application because they only manifest during the runtime of the application. Some serious examples of risks not detectable by SonarQube are:
- A1:2017 NoSQL injection: as modern databases start replacing SQL, SonarQube will miss advanced injection risks because it does not look at the runtime semantics
- A6:2017 Security misconfiguration: this includes the right configuration of security headers, cookies, session expiration, and form autocomplete settings
- A3:2017 Sensitive data exposure: sensitive data, such as personal information and stacktraces, are runtime aspects, so any static approach will not be able to detect this family of risks
Upgrade to protection against attacks
Another key advantage of Hdiv over SonarQube is the ability to grow from Hdiv Detection (IAST) to Hdiv Protection (RASP) to enable automatic protection of all the vulnerabilities that could not be fixed. This is a huge strategic upgrade over SonarQube. After all, it is almost impossible to fix all security issues before going to production, and the RASP provides peace of mind that no vulnerabilities will be exploited.
Summary of SonarQube vs Hdiv IAST
|SonarQube SAST||Hdiv IAST|
|Timeline||Development||Development, QA, Production||Applicable to All Stages of the SDLC and to All Environments|
|Speed||Instant to hours||Instant (at runtime)|
|How It Works||Analyzes static code to identify vulnerabilities||Analyzes code and behavior of running apps through instrumentation|
|Allows Continuous Security Testing||EVERYTHING IS AUTOMATIC: Vulnerability lists are always up-to-date, even when the applications change continuously.|
|Vulnerable Coverage||Medium||High||Selection of detection rules that go beyond what SAST and DAST can deliver: Advanced SQLi (blind SQLi)|
True Positive: 100%
False Positive: 0%
|Hdiv OWASP Benchmark|
|Client-Side Browser Malware Detection||Risk example: Magecart|
|Third-party component vulnerability detection
[SCA: Software Composition Analyis]
|Hdiv Detection (IAST) will list known vulnerabilities (CVEs) affecting third party code, even if the libraries have been compiled and no source code is available. In addition, Hdiv is able to detect possible zero-day vulnerabilities within third party libraries because Hdiv analyzes third party libraries execution using the compiled code.|
|Vulnerabilities Detection on Outsourced Developments||Hdiv Detection (IAST) no need to have access to the source code of the applications to complete the process of security code validation.|
How Hdiv Detection (IAST) solves SonarQube issues
- False positives and low detection rate: Hdiv Detection (IAST) reports a 0% false-positive rate in the same score. This means less time wasted validating the scan results.
- Scan-based approach: since Hdiv Detection (IAST) works continuously in real-time, there is no need to launch a scan process.
- Source code is required: Hdiv Detection (IAST) works with compiled code, which combined with the built-in SCA capabilities provides a complete analysis coverage of the application codebase.
- Static results are quickly outdated: The Hdiv Detection (IAST) analysis results are always up-to-date thanks to the continuous analysis approach.
- Not applicable to Production systems: Hdiv Detection (IAST) presents very little performance overhead and thus it works great in production environments
SonarQube vs Hdiv ROI
We look at the return of investment of SonarQube versus Hdiv by analyzing the costs involved in the following activities:
- Vulnerability Analysis: SonarQube requires teams to invest around 10 hours to review the vulnerability results due to the static nature, the time to scan, and the lack of accuracy, compared to 1 hour for Hdiv
- Triage to eliminate false positives: SonarQube will have many false positives that require manual evaluation. For an average project, this can take between 40 and 80 hours of specialized work, compared to less than 3 hours for Hdiv, due to the low false-positive rate
- Reporting to the developers: SonarQube will require some additional information to find the right team in charge of the code, about two days or 16 hours. This compares to about half a day for Hdiv, since the security analysis includes all the relevant information to find and fix the problem
Factoring in the typical licensing and fully-loaded labor costs, Hdiv Detection (IAST) represents a 88% annual cost savings over SonarQube. Let us know if you want to look at these numbers in more detail, including our time and cost assumptions.
How to evaluate SonarQube vs Hdiv yourself
SonarQube has an open-source version that any team can test easily. If you want to compare Hdiv against SonarQube or any other application security testing tool, let us know and we will take you through the process.