forked from fortify-ps/fortify-integration-sonarqube
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathTODO.txt
51 lines (40 loc) · 2.28 KB
/
TODO.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
Update README.md
Plugin general:
- Configurable mapping between friority and SonarQube severity
- Configurable support for using folder instead of friority to determine SonarQube severity
- Web pages
- Show information similar to previous widget
- Clean-up/remove FortifyConstants
- Add/improve error handling
- Check whether hidden metrics to pass SSC/FoD URL/credentials are somehow visible (for example through API)
Plugin on SQ 6.7:
- Remove scanner warnings: [WARNING] Storing measures on folders or modules is deprecated. Provided value of metric ... is ignored
- Apparently measures cannot be saved on modules with packaging type pom
- Add FoD implementation
Plugin on SQ 7.6:
- Map Fortify issues to SonarQube-provided OWASP Top 10/SANS Top 25 Security Reports
- Add FortifyIssueRuleKeyRetrieverAdHoc that generates SonarQube ad-hoc rules for Fortify categories
- First check whetehr ad hoc rules are supported for regular issues
- If enabled (through configuration utility, as alternative for single Fortify rule/external lists):
- Don't generate any Fortify-related rules/repositories/profiles
- Add additional issue query fields to retrieve rule description
- Generate (and cache) ad-hoc rule based on rule description in issue data
Metrics:
- Add support and default metrics for folder counts
- Add support for default value if no value available from SSC?
- Fortify security rating -> SonarQube rating (RATING metric type) in metrics-*.yml
Configuration utility:
- Hide MetricDetailsPanel if no item selected in listMetrics
- Add validation (duplicate metric keys, test metric expressions by loading application version from SSC)
- Add help information/tooltips for various input fields
- Remove hardcoded SSC URL (replace with generic sample URL) & credentials
- Add support for configuring default values for plugin PropertyDefinitions?
- How to keep property definitions in sync between plugin and configuration tool?
- Hot to avoid code duplication?
Build:
- Remove unnecessary elements in pom.xml files if already defined in parent
- Fix warnings
Tests:
- Sonar Scanner/Maven scanner
- No exceptions if SSC/FoD connection details have not been configured
- Combinations of FoD/SSC, Single/externallist-based rules, different SonarQube versions , single/multi-module projects