Skip to content

Commit

Permalink
add contribution, remove development
Browse files Browse the repository at this point in the history
Signed-off-by: Nicklas Körtge <nicklas.koertge1@ibm.com>
  • Loading branch information
n1ckl0sk0rtge committed Jun 12, 2024
1 parent e67c188 commit 367eabc
Show file tree
Hide file tree
Showing 3 changed files with 92 additions and 92 deletions.
59 changes: 59 additions & 0 deletions CONTRIBUTING.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
# Contributing

The Sonar Cryptography Plugin is an open source project that aims to create
an easy way to discover the use of cryptography in source code and create CBOM.
This page describes how you can join the community in this goal.

## Before you start

If you are new to the community? We recommend you do the following before diving into the code:

* Read the [Code of Conduct](https://github.com/IBM/sonar-cryptography/blob/main/CODE_OF_CONDUCT.md)
* Familiarize yourself with the community (via [GitHub](https://github.com/IBM/sonar-cryptography/discussions) etc.)

## Choose an issue to work on
Qiskit uses the following labels to help non-maintainers find issues best suited to their interest and experience level:

* [good first issue](https://github.com/IBM/sonar-cryptography/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22) - these issues are typically the simplest available to work on, ideal for newcomers. They should already be fully scoped, with a clear approach outlined in the descriptions.
* [help wanted](https://github.com/IBM/sonar-cryptography/issues?q=is%3Aopen+is%3Aissue+label%3A%22help+wanted%22) - these issues are generally more complex than good first issues. They typically cover work that core maintainers don't currently have capacity to implement and may require more investigation/discussion. These are a great option for experienced contributors looking for something a bit more challenging.

## Code Style

Check if all java files are well formated and license headers are in place.
```shell
mvn spotless:check
```
Applies format and license headers to files.
```shell
mvn spotless:apply
```
Spotless Maven Documentation: https://github.com/diffplug/spotless/blob/main/plugin-maven/README.md

Check for coding style
```shell
mvn checkstyle::check
```

## Build

In the project directory run the following command:
```shell
mvn clean package
```
The `.jar` file will be stored in the target directory and also copied to
`.SonarQube/plugins`.


## Run the Plugin with SonarQube

```shell
UID=${UID} GID=${GID} docker-compose up
```

### Configure SonarQube

For the initial configuration and setup have a look to the [official SonarQube documentation](https://docs.sonarqube.org/latest/try-out-sonarqube/).

### Create a Quality Profile with Crypto Rules

See detailed instructions in the root [README.md](./README.md#create-a-quality-profile-with-crypto-rules)
71 changes: 0 additions & 71 deletions DEVELOPMENT.md

This file was deleted.

54 changes: 33 additions & 21 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,44 +1,44 @@
# Sonar Cryptography Plugin

[![License](https://img.shields.io/github/license/IBM/sonar-cryptography.svg?)](https://opensource.org/licenses/Apache-2.0) <!--- long-description-skip-begin -->
[![Current Release](https://img.shields.io/github/release/IBM/sonar-cryptography.svg?logo=IBM)](https://github.com/IBM/sonar-cryptography/releases)


This repository contains a SonarQube Plugin that detects cryptographic assets
in source code and generates CBOM.
in source code and generates [CBOM](https://cyclonedx.org/capabilities/cbom/).

## Plugin version compatibility
## Version compatibility

| Plugin Version | SonarQube Version |
| -------------- | -------------------- |
|----------------|----------------------|
| 1.x.x and up | SonarQube 9.8 and up |

## Latest supported languages and libraries
## Supported languages and libraries

| Language | Cryptographic Library | Coverage |
| -------- | --------------------- | -------- |
| Java | JCA | 100% |
| | BouncyCastle | 80% |
| Pyrhon | pycrypto | 100% |
| Language | Cryptographic Library | Coverage |
|----------|-----------------------------------------------------------------------------------------------|----------|
| Java | [JCA](https://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/CryptoSpec.html) | 100% |
| | [BouncyCastle](https://github.com/bcgit/bc-java) | 80% |
| Python | pycrypto | 100% |

> The plugin is designed so that it can be extended to support additional languages and recognition rules to support more libraries. Detailed instructions on how to add new languages and recognition rules will follow shortly.
## Development and Contribution

See [development setup](DEVELOPMENT.md).

## Installation

Copy the plugins (jar files) to $SONAR_INSTALL_DIR/extensions/plugins and restart
Copy the plugins (jar files) to `$SONARQUBE_HOME/extensions/plugins` and restart
SonarQube ([more](https://docs.sonarqube.org/latest/setup-and-upgrade/install-a-plugin/)).

## Using

Each plugin provides new rules (IBM Cryptography Repository) related to the use of cryptography in Java or Python source code.
By enabling these rules, a source code scan will check the code for these rules and mark a new security
hotspot in case of violation.
In addition, a source code scan generates a CBOM with all cryptographic results and writes a `cbom.json` to
the scan directory.
The plugin provides new inventory rules (IBM Cryptography Repository) regarding the use of cryptography for
the supported languages.
If you enable these rules, a source code scan creates a cryptographic inventory by creating a
[CBOM](https://cyclonedx.org/capabilities/cbom/) with all cryptographic assets and writing
a `cbom.json` to the scan directory.

### Create a Quality Profile with Crypto Rules
### Create a Quality Profile with Cryptographic Rules

The crypto rules added by the plugin are not per default activated. Create a new quality profile for Java or Python.
The crypto rules added by the plugin are not per default activated. Create a new quality profile for a specific language.

![Quality Profile with Crypto Rules](.github/img/quality_profile.png)

Expand All @@ -58,6 +58,18 @@ activated crypto rules.
Now you can follow the [SonarQube documentation](https://docs.sonarqube.org/latest/analyzing-source-code/overview/)
to start your first scan.

## Contribution Guidelines

If you'd like to contribute to Sonar Cryptography Plugin, please take a look at our
[contribution guidelines](CONTRIBUTING.md). By participating, you are expected to uphold our [code of conduct](CODE_OF_CONDUCT.md).

We use [GitHub issues](https://github.com/IBM/sonar-cryptography/issues) for tracking requests and bugs. For questions
start a discussion using [GitHub Discussions](https://github.com/IBM/sonar-cryptography/discussions).

## License

[Apache License 2.0](LICENSE.txt)




Expand Down

0 comments on commit 367eabc

Please sign in to comment.