-
Notifications
You must be signed in to change notification settings - Fork 15
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Where do we need HP assistance? #5
Comments
Hi @dhartford. This is an old topic, but as far as I can remember, in order to import rules definitions into SonarQube (name, severity, description, ...) the plugin used to "introspect" Fortify rule packs. We discovered it was a violation of the HP license. So what we meant about requiring HP support was more in term of legal issue. |
I'll raise up that using the thirdparty security tools is pretty much a requirement for any regulatory space (PCI, FISMA/STIG, NIST, etc). The scope to make security tools that cross reference all those controls is a non-trivial effort, so I would defer to thirdparty security vendors that specialize in them. Having said that, I'm surprised it couldn't be something as simple as 'you require a license before downloading and creating the fortify ruleset', although you wouldn't get any value from this plugin without a license in the first place :-) Edit: Or, is the statement around SonarSource's stance more that the security vendors, such as Checkmarx, are encouraged to create and maintain a sonar plugin rather than leaving it to the community? |
Hi community,
There is significant interest from a developer point-of-view to get a tool like HP Fortify back into SonarQube. Is there a specific section (just the rule file?) that needs HP assistance to keep up to date?
Are there different things we need to do for HP Fortify on-premise tools versus the HP Fortify on Demand service?
Just looking to identify what specific parts need feedback from the vendor.
The text was updated successfully, but these errors were encountered: