Where does sonarqube save source post analysis? - analysis

Where does sonar save the source code on which the analysis is run? How secure is it?

SonarQube saves the source into the database, so it as secure as your database that you are using. But it only keeps only the last version of the source. If you don't want to upload the source to the database, then turn off the Import Sources feature. You can do that with the following property: sonar.importSources=false or you can set on the settings page under the security options. In this case the source code will stay on your machine when you analyze.

Related

How do you synchornize Fortify report with updated source code?

My project's source files have changed since the last Fortify scan was made. The Audit Workbench shows issues using the new source files causing a mismatch.
This mismatch even persists after I run scan again for the Fortify project.
It seems that the only way to re-align reported issues to correct source code is to perform the scan in a new Fortify project.
But this is not desirable since I will have to re-audit all the issues that have been audited in the original project.
Is there a way to get Fortify to re-assign the line numbers for stored issues to match the changes made in the source files?
There are two different things going on here.
1) When you open an FPR, Audit Workbench will look on the current hard drive to see if the source code resides on it (it knows the absolute file paths of the code that was scanned). If it finds source code, it will use that to display when an issue is selected instead of using the source code it has inside of the FPR (I assume because of performance).
Since you have modified the source code after the scan, what you need to do is select Tools -> Extract Source Code... from the menu and extract the source code to a temporary location (you can delete it later). When this happens, Audit Workbench will then use that code for display in Audit Workbench.
2) You mentioned having to re-audit issues when you scan again. When you have your new scan open in Audit Workbench select Tools -> Merge Audit Projects... from the menu. Then select your audited FPR file.
This will merge the two FPRs together and carryover previous comments and audit tags for issues that exist in both FPRs.

How to backup/restore a JIRA project configuration

is there a way to backup a JIRA project configuration and then restore?
The issue I have is that sometimes doing workflows changes I can break the whole configuration.
So, I'm looking for a way to easily rollback to the previous working version of the project configuration.
Please note that I cannot rollback the whole JIRA server as it will affect other projects.
We are using the latest version of the Jira Service Desk on premises.
Thanks,
Please, see full answer here.
You can't.
JIRA does a full export of everything, and you can import
the issues from one project from that. But that's it. If you need
single project backups with configuration, you'll need extra
functionality. This is exactly the case where I would reach for
Botron's tool -
https://marketplace.atlassian.com/plugins/com.botronsoft.jira.configurationmanager
Whenever you publish a change to a workflow, JIRA asks you if it has to save a copy of the original. If you do that, it should be easy to revert to a previous version. Still it gets cumbersome to manage lots of copies of a workflow and to understand what changed when.
If you want a bit more control, you can also export your workflow to xml and keep that somewhere. If you need to rollback, you can import from that xml again. For more details see the documentation here.
If you want even more control, then add-ons like Botron's configuration manager can indeed be useful.

How to diff Fortify SCA scans

We have Fortify SCA and we are setting up regular, automated scans of our source code. Our intention is to have an alert if there is an introduced security issue. Is there a way, perhaps using FPRUtility (or some other method) to accomplish this? Ultimately I prefer something that can be easily run from the command line, but if this can also be accomplished using the GUI then I would appreciate knowing how to do that as well.
Use Audit Workbench to run a report. Choose "developer workbook" and disable all except one section. (you can choose any section you want).
In the report section's additional properties, set the filter for the issues to [issue age]:new. This means the report will show ONLY issues in your FPR that were not present in the previous scan, and were introduced in the latest scan. Save the template.
In your scan configuration, make sure to scan to the same FPR every time per project, so that "new" issues can be calculated by the report runner.
After the scan is complete, use the answer by #user1836982 to run the report. Choose the XML template and process it programmatically.
(1) Command for the Fortify report generation to XML FORMAT:
FORTIFY_INSTALL_DIR\bin\ReportGenerator.bat -format xml -f target_file_name.xml -source your_fpr_file_name.fpr -template Detailed-DefaultReportDefinition.xml
(2) you can also use AWB to generate the .pdf/.rtf/.xml report by Report(top menu bar) -> save report -> select format ->save
(3) Just added procedure to create excel sheet here: Export HP Fortify SCA 4.10 results in EXCEL format
(4) If you have access to DB (oracle), you can query with script
If you are using Fortify SCA, you should also have access to Fortify Software Security Center (SSC). SSC can be used to track trending data across builds of a project. SSC has built in capabilities to send out alerts based on user-defined events within SSC; I have never worked with those so can't offer any thoughts other than what the docs say.
The reports generated by Fortify SCA (.fpr files) are zip files XML documents storing all the relevant data; I would suspect some of the data in those files are related to the SCA rulesets that are present in both SCA and SSC instances. I suspect without the rulesets you would be able to determine that new issues have been introduced, but not any good data on what they are, priority level, etc.

ssis packages modifying files under source control

This is more of a hypothetical question as I am sure this is not a very good way to do things.
Say I have an SSIS package, under source control in TFS, that needs to read and modify some files, say a csv. how does it handle modifying the csv if the csv is also under source control in TFS?
i don't have a complete understanding of how it works, but i assume the csv would be under write protection until it is checked out. Does the ssis package just error out when attempting to write to a write protected file? Having to modify the SSIS packages to somehow get around the write protection would require a lot of work as all the these packages are already written and being added to source control now. alternatively, I assume there is some kind of settings you can do in TFS to turn off write protection on your local copy or automatically check out a file if it is being modified.
is the real solution to just keep the input and output files from the SSIS package outside of source control (as there is probably questionable justification for them to be there in the first place?)
TFS is integrated into Visual Studio. When you edit a package, VS checks it out of TFS for you and you can use Visual Studio's interface to check it back in.
In VS, Tools/Options/Source Control sets up the source control provider. File/Source Control is where you manage the connection to the project.
If you change your workspace over to a local workspace the read only attribute is removed for all files.
If however you need to edit the file in a normal workspace why I'd it under source control at all? A better way would to have separate files for DataIn, DataOut, and DataCompare. You should have DatIn and DataCompare under source control, but DataOut should be generated.
It is not recommended to have any generated files under source control.

SONAR - Analyzing source code in an Incremental way

I am using sonar for the last few months and want to know that do sonar works in an incremental way or not i.e if i do soanr analysis for the first time on my project code it will definitely analyze all the code but if i do some enhancement on my core source code and update some files then after updation do sonar analysis again on the same code then will sonar analyze all the files OR only analyze files which i have updated?
I am using "Sonar way with Findbugs" as my default quality profile.
Is there any way to use sonar in an incremental way, to analyze only updated files?
Is this possible in sonar or not?
Kindly revert your help will be appreciated..
Thanks in advance..
Sonar does not currently handle incremental analyses.
If you want, you can watch and vote for the following ticket: http://jira.codehaus.org/browse/SONAR-2815
If your task if code quality metrics in a general way, then you can use these tools directly on Jenkins. See FindBugs Plugin , PMD plugin or Checkstyle Plugin. They independently give what you need in the form of "incremental code" reports. But if you have to use SONAR only, then Fabrice's answer is the correct one.
Here the post where the ticket that #fabrice-sonar-team comments was born:
does Sonar support Incremental code quality analysis
You can read Freddy Mallet's explanation about why this functionality is not trivial to be implemented. It requires lot of effort, so as Fabrice said, vote for the ticket! :)
Just adding on since this is the first google result for 'Sonar incremental preview analysis' in stack, and the answers are way too old.
Sonar has plugins available for IDEs such as Eclipse and NetBeans that can run incremental analysis on the changed files alone. This still needs a connection the SonarQube server though.
You may also run the analysis right from Jenkins by passing an additional sonar analysis property - sonar.analysis.mode=incrementalin your Sonar scan build step. This will report the code quality in a full report - will all code issues as well as a light report containing only new issues (since last full scan as recorded in server).
To take one step further use sonar.issuesReport.html.enable=true and publish the generated html reports to your Jenkins build page - Neat and Trim
Sonar documentation here

Resources