Skip to content

CogniCrypt Rules in SonarQube

SonarQube requires that all reported issues are tied to a specific rule which then contains a static description of the problem, possible solutions and, when applicable, references to additional resources. In the SonarQube issue interface these sections can be accessed through the tabs Why is this an issue?, How can I fix it?, and More Info. The same tabs are also shown when opening an issue in an IDE using the SonarQube for IDE plugin.

Since our plugin integrates CogniCrypt, we created a set of custom rules based on the CrySL rules. However, one CrySL rule can result in many different errors and explaining all of them in one rule would result in the user being shown a lot of information that would often not be relevant to the actual issue at hand. The first approach was to split each CrySL rule into the seven error types that it detects. However, since some error types would receive identical explanations, in the end, it was decided to create one SonarQube rule per section for each of the 51 CrySL rules:

  • FORBIDDEN: When a method is unsafe to utilize it is included in this section. Using it will result in a ForbiddenMethodError. The description mentions that this operation is not secure and lists alternatives when available. Forbidden methods were only specified for four CrySL rules.
  • ORDER: This section can result in IncompleteOperationError and TypestateError. Since rule descriptions are static we do not know which method was excluded or where exactly the order was incorrect. This means that for both error types the explanation would only consist of the correct order of operations. Because of this they were combined into one SonarQube rule as an OrderError. All 51 CrySL rules have an ORDER section, resulting in 51 SonarQube rules.
  • CONSTRAINTS: Here, different constraints are defined and ConstraintErrors can occur. The contents of this rule include a natural language explanation of all constraints in the CrySL rule.
  • REQUIRES: Pre-conditions for the use of an object are defined in this section. If they are violated, a RequiredPredicateError or AlternativeReqPredicateError occurs. As the latter is essentially the same as the former other than only occurring for conditions with alternatives, it was included in the former. 34 CrySL rules contain a requirements section.

While there are more than the above CrySL rule sections, SPEC merely refers to the fully qualified name of the covered JCA class, and the OBJECTS and EVENTS sections are relevant to multiple error types without causing errors on their own. The ENSURES section defines pre-conditions that the JCA class fulfills and violations occur in the rule that REQUIRES this pre-condition. The newly added WEAKNESSES are CWE references that were added to the More Info tab.

An outlier is the error type ImpreciseValueExtractionError which only received one single SonarQube rule instead of individual ones for each CrySL rule. This is because the description of this error simply amounts to the analysis being unable to evaluate some parameter and therefore also incapable of verifying whether there is a problem or not.

In total 141 custom SonarQube rules were created for this CogniCrypt integration. Each one includes a small explanation of the error type to explain Why is this an issue?, a natural language explanation of the CrySL rule section relevant to this error type as a guide on How can I fix it?, and links to the official Java documentation, the CWEs (Common Weakness Enumeration) references associated with the CrySL rule and the CrySL rule itself for More Info. The addition of CWEs to the CrySL rules was made by our project group during our project.