I Built My First SonarQube Plugin!
tool | 2022-02-20
🚩 What is the Reason I Built a Module?
Recently, my company launched an initiative to integrate SAST tools into our CI/CD pipeline.
We evaluated tools like Fortify and SonarQube.
Fortunately, I had the chance to take part in the SonarQube research phase. :)
Initially, we discovered the CNES plugin, but it didn't fully meet all our requirements.
Therefore, we decided to re-invent the wheel!
💡 Why I Re-Invented the Wheel?
Although SonarQube has a built-in reporting tool, it's only available in the Enterprise Edition.
As a developer, I'm more inclined toward open-source, community-based, and FREE solutions!
🚀 How I Got Started and Learned About It
I first explored the CNES report plugin to see if it could be customized.
However, the version (as of end April 2022) didn't support the OWASP 2021 report without upgrading SonarQube to 9.x.
I then pulled the Sonar custom plugin example repo, studied it, and learned that:
- SonarQube plugins are Java-based.
- The system exposes a set of RESTful Web APIs out of the box.
- By exploring the SonarQube dashboard and API docs, I figured out how to get the data I needed.
🛠️ How I Built It
I'm not a Java developer, so my custom security report was built mostly in React, with direct API calls.
You can check my repository here: hawjeh/sonar-custom-plugin-example-report
The main code is under /src/main/js.
I forked from the sample repo, kept the essential parts, and modified both the Java and JavaScript code to focus only on my plugin needs.
For future upgrades, I will pull from the base repository as needed.
🔥 What Does the Plugin Look Like?
Access Point:
Report View:
Sample Report:
Unfortunately, it contains client data, so I can't share it here.
But don't worry — clone my repo, build it yourself, and see it in action!