Generating a SonarQube SAST Report

Introduction

This guide will walk you through the steps to run a python script which will download your SonarQube vulnerability SAST report as a json file that can be submitted to Mobb. This script works for both Sonarcloud (SaaS) and SonarQube (on-premise).

Pre-Requisites

• You must have Python installed in your environment. If you don't have Python installed, please do so by visiting the Python download site here.

• You will need to run the script via your terminal or command prompt.

• Download the sonarqube_download_report.py script from here.

Required environment variable settings

SONARQUBE_HOST_URL

Example values: https://sonarcloud.io or http://localhost:9000

SONARQUBE_TOKEN

Generate this token at by following the instruction here

SONARQUBE_ORG

Your Sonarcloud Org ID. If you are using SonarQube, enter none

SONARQUBE_PROJECT

Your Sonarqube project key

BRANCH

The branch name. For example: main

REPORT_PATH

Name of the output report For example: sonar_report.json

Sample command to download a report tied to a branch:

SONARQUBE_HOST_URL=https://sonarcloud.io \
SONARQUBE_TOKEN=XXX \
SONARQUBE_ORG=antonychiu2 \
SONARQUBE_PROJECT=antonychiu2_wf-examples-sonar \
BRANCH=main \
REPORT_PATH=sonar_report.json \
python sonarqube_download_report.py

Sample command to download a report tied to a PR:

SONARQUBE_HOST_URL=https://sonarcloud.io \
SONARQUBE_TOKEN=XXX \
SONARQUBE_ORG=antonychiu2 \
SONARQUBE_PROJECT=antonychiu2_wf-examples-sonar \
PULL_REQUEST_ID=13 \
REPORT_PATH=sonar_report.json \
python sonarqube_download_report.py

Sample command to download a SAST report from SonarQube (on-premise):

SONARQUBE_HOST_URL=http://local-ubuntu-vm:9000 \
SONARQUBE_TOKEN=XXX \
SONARQUBE_ORG=none \
SONARQUBE_PROJECT=webgoat-local \
BRANCH=main \
REPORT_PATH=sonar_report.json \
python sonarqube_download_report.py