SonarCloud
First time using SonarCloud? Please refer to the following documentation.
Introduction
This integration consolidates scan results of applications in SonarCloud with Conviso Platform, keeping both solutions synced in real time.
It supports a two-way integration regarding new vulnerabilities and status mapping, so every update in SonarCloud will also update Conviso Platform, as well as updates in the triage of vulnerabilities within Conviso Platform vulnerability management.
Aggregating SonarCloud results and other security tools with Conviso Platform will let you have a centralized view for a more efficient prioritization and security risk management of your applications.
Requirements
To integrate SonarCloud with the Conviso Platform, you will need the following data:
- A user with the System Administrator permission in SonarCloud
- User Token of the user with the permission
- Organization ID in SonarCloud
Conviso Platform Setup
To perform the integration between the two platforms, follow these steps after logging into the platform:
- Click on the Integrations option in the side menu.
- Click on Scanners category
- Look for the SonarCloud icon and then click on Integrate button.
A form similar to the image below will appear.
If you're not sure where to get the information below, follow our tutorial here.
- Fill the organization ID.
- Enter your user token from SonarCloud.
- Click on "Save."
After completing the steps, the following screen will appear:
On this screen, you can manage your integration, view and import projects, and test if your SonarCloud connection is active.
- Check if the communication with your SonarCloud is active.
- View this documentation.
- Table containing all the assets in the Conviso Platform that you imported from SonarCloud.
- Add a new SonarCloud project to the Conviso Platform.
- Button to return to the integration credentials configuration.
Importing Assets
To import a new project to the Conviso Platform, follow the steps below:
- Click on Integration in the side menu.
- Look for the Sonarcloud icon and then click on the Configure button.
This will take you to the integration configuration page.
Click on the Add Project button.
The Selection Form showing the projects registered in SonarCloud will appear as shown in the image below.
- You can use the search bar to filter by project name.
- Select which projects to import.
- Select which branch from project you want to import
- Click on the Add button at the top of the form.
Obs: Currently, when you select and import a project from SonarCloud, an asset will be created for each branch that you choose to import.
General Information on Operation
In this section, we will address crucial information about the integration's operation. This includes details about the synchronization process, as well as the status mapping between the involved platforms.
Status Mapping
When moving Vulnerabilities from one status to another, the Conviso platform will communicate and mark the Vulnerabilities in SonarCloud according to the following mapping:
| Conviso Platform | SonarCloud |
|---|---|
| Created | TO REVIEW |
| False positive | SAFE |
| Fix accepted | FIXED |
The modifications are bidirectional, meaning that when changes are made in the Conviso Platform, these changes will be replicated to SonarCloud, and the same applies in reverse.
When changing the status in the Conviso Platform, these changes will be replicated immediately to SonarCloud. However, if a change is first made in SonarCloud, it will only be replicated to the Conviso Platform after a synchronization between the platforms is performed.
Note: The only exception to these status changes is for the FIXED status in the Conviso Platform. In the case of FIXED, it is not allowed for a user to move it to FIXED when the issue was opened by a scanner like SonarCloud. In this scenario, the tool itself should identify the changes and recognize that the issue has been removed. Therefore, in the next synchronization, those vulnerabilities that are no longer identified by SonarCloud will be marked as FIXED in the Conviso Platform.
Note: When changing the vulnerability to an unmapped status, it will revert to the last mapped status when a synchronization occurs.
Synchronization
The synchronization of assets is automatically initiated every time a scan is successfully completed in SonarCloud. You can also start a manual synchronization.
To check the status or start a manual synchronization, follow the steps below:
- Go to the Assets Management page.
- Click on the name of the asset that was imported.
On the asset's detail page, click on View All next to Integration, as shown in the image below:
A modal will appear as shown in the photo below:
In this modal, you will have the following information:
- Time when the last synchronization was initiated.
- Progress bar showing the progress of the synchronization if it is in progress.
- Button to start a synchronization. A synchronization can only be initiated if the previous one has already finished.
How to get the necessary information for the integration.
To get this information, you will need to log in to SonarCloud and follow the steps below:
- Click on your profile picture.
- Click on My Account.
- Upon entering the profile, click on the Security tab
- Choose a name to identify the Token and then click on Generate
Now you have your User Token. To get the Organization ID, follow the steps below:
- Click on the Organization tab
- Click on the Organization you want to integrate
- The Organization ID can be found on the right side of the page as shown below:
With this information, you can now create the integration in the Conviso Platform by following the steps mentioned above.
