Where do we need HP assistance?

[dhartford]

Hi community,
There is significant interest from a developer point-of-view to get a tool like HP Fortify back into SonarQube. Is there a specific section (just the rule file?) that needs HP assistance to keep up to date?

Are there different things we need to do for HP Fortify on-premise tools versus the HP Fortify on Demand service?

Just looking to identify what specific parts need feedback from the vendor.

[henryju]

Hi @dhartford. This is an old topic, but as far as I can remember, in order to import rules definitions into SonarQube (name, severity, description, ...) the plugin used to "introspect" Fortify rule packs. We discovered it was a violation of the HP license. So what we meant about requiring HP support was more in term of legal issue.
Those days, SonarSource is moving away from trying to integrate all third party tools into SonarQube, and instead invest a lot in developing its own analyzers. All that to say that today, even if legal issues were cleared, it is very unlikely that we would support this plugin.

[dhartford]

I'll raise up that using the thirdparty security tools is pretty much a requirement for any regulatory space (PCI, FISMA/STIG, NIST, etc). The scope to make security tools that cross reference all those controls is a non-trivial effort, so I would defer to thirdparty security vendors that specialize in them.

Having said that, I'm surprised it couldn't be something as simple as 'you require a license before downloading and creating the fortify ruleset', although you wouldn't get any value from this plugin without a license in the first place :-)

Edit: Or, is the statement around SonarSource's stance more that the security vendors, such as Checkmarx, are encouraged to create and maintain a sonar plugin rather than leaving it to the community?