From c5f12612e799d6429c5ec2e639348778937b6121 Mon Sep 17 00:00:00 2001 From: sNiXx Date: Wed, 12 Nov 2025 09:35:42 +0100 Subject: [PATCH] docs: update SonarQube API pull details --- .../supported_tools/parsers/api/_index.md | 19 ++++--- .../supported_tools/parsers/api/sonarqube.md | 52 +++++++++++-------- 2 files changed, 44 insertions(+), 27 deletions(-) diff --git a/docs/content/supported_tools/parsers/api/_index.md b/docs/content/supported_tools/parsers/api/_index.md index 14859189003..2cc476beda1 100644 --- a/docs/content/supported_tools/parsers/api/_index.md +++ b/docs/content/supported_tools/parsers/api/_index.md @@ -11,14 +11,21 @@ All parsers that use API pull have common basic configuration steps, but with di Follow these steps to set up API importing: +## Tool Configuration + 1. Configure the API authentication details by navigating to `Configuration -> Tool Configuration -> Add Tool Configuration`. Enter a `Name`, selecting the related `Tool Type` and `Authentication Type` "API Key". Paste your credentials - to the proper fields based on definitions below. + into the proper fields based on the selected parser. + +## Product-Level Configuration + +1. Navigate to `Products -> All Products` and select a product from the list. + +2. Click on `Settings` and select `Add API Scan Configuration` -2. In the `Product` settings select `Add API Scan Configuration` and select the - previously added `Tool Configuration`. Provide values based on definitions below. +3. Select the previously added `Tool Configuration` and provide additional values based on the selected parser. -3. After this is done, you can import the findings on the `Product` page through - `Findings -> Import Scan Results`. As the `Scan type`, select the related type, - the API scan configuration from the last step, and click `Import`. +4. After this is done, you can import the findings on the `Product` page through + `Findings -> Import Scan Results`. As the `Scan type`, select the related type + (the `API Scan Configuration` created above) and click `Import`. diff --git a/docs/content/supported_tools/parsers/api/sonarqube.md b/docs/content/supported_tools/parsers/api/sonarqube.md index 2fe14567d6f..3f38e022ebe 100644 --- a/docs/content/supported_tools/parsers/api/sonarqube.md +++ b/docs/content/supported_tools/parsers/api/sonarqube.md @@ -2,20 +2,24 @@ title: "SonarQube API Import" toc_hide: true --- -All parsers which using API have common basic configuration step but with different values. Please, [read these steps](../) at first. +All parsers that use API pull have common basic configuration steps, but with different values. Please, [read these steps](../) first. -In `Tool Configuration`, select `Tool Type` to "SonarQube" and `Authentication Type` "API Key". -Note the url must be in the format of `https:///api` +## Tool Configuration + +In `Tool Configuration`, select `Tool Type` "SonarQube" and `Authentication Type` "API Key". +The URL must be in the format of `https:///api` Paste your SonarQube API token in the "API Key" field. -By default the tool will import vulnerabilities issues -and security hotspots only, but additional filters can be setup using the -Extras field separated by commas (e.g. `BUG,VULNERABILITY,CODE_SMELL`). When using -SonarCloud, you must also specify the Organization ID in the Extras field as follows -`OrgID=sonarcloud-organzation-ID`. If also specifying issue type filters, please -seperate the items in the Extras field by a vertical bar as follows -`BUG,VULNERABILITY,CODE_SMELL|OrgID=sonarcloud-organzation-ID` - -In "Add API Scan Configuration" +By default, the tool will import vulnerability issues +and security hotspots only, but additional filters can be applied using the +"Extras" field separated by commas (e.g. `BUG,VULNERABILITY,CODE_SMELL`). When using +SonarCloud, you must also specify the Organization ID in the "Extras" field (e.g. +`OrgID=sonarcloud-organzation-ID`). When also specifying issue type filters, please +separate the items in the "Extras" field by a vertical bar (e.g. +`BUG,VULNERABILITY,CODE_SMELL|OrgID=sonarcloud-organzation-ID`) + +## Product-Level Configuration + +In `Add API Scan Configuration` - `Service key 1` must be the SonarQube project key, which can be found by navigating to a specific project and selecting the value from the url @@ -24,23 +28,29 @@ In "Add API Scan Configuration" use the name of the Product as the project key in SonarQube. If you would like to import findings from multiple projects, you can specify multiple keys as separated `API Scan Configuration` in the `Product` settings. -- If using SonarCloud, the orginization ID can be used from step 1, but it - can be overiden by supplying a different orginization ID in the `Service key 2` input field. +- If using SonarCloud, the organization ID can be used from step 1, but it + can be overridden by supplying a different organization ID in the `Service key 2` input field. ## Multiple SonarQube API Configurations -In the import or re-import dialog you can select which `API Scan +In the import or re-import dialog, you can select which `API Scan Configuration` shall be used. If you do not choose any, DefectDojo will use the `API Scan Configuration` of the Product if there is only one defined or the SonarQube `Tool Configuration` if there is only one. -## Multi Branch Scanning +## Multi-Branch Scanning -If using a version of SonarQube with multi branch scanning, the branch tha be scanned can -be supplied in the `branch_tag` fieild at import/re-import time. If the branch does not exist, -a notification will be generated in the alerts table indicating that branch to be imported +If using a version of SonarQube with multi-branch scanning, the branch to be scanned can +be supplied in the `branch_tag` field at import/re-import time. If the branch does not exist, +a notification will be generated in the alerts table, indicating that branch to be imported does not exist. If a branch name is not supplied during import/re-import, the default branch of the SonarQube project will be used. -**Note:**: If `https` is used for the SonarQube, the certificate must be -trusted by the DefectDojo instance. +## Custom Trust + +If you are connecting to SonarQube via HTTPS, the issuer of the certificate that is presented by +SonarQube must be trusted. + +One way of achieving this is by defining the `REQUESTS_CA_BUNDLE` environment variable to point +to a PEM-encoded certificate file in the container (e.g. `REQUESTS_CA_BUNDLE=/app/media/cacerts.pem`). +To ensure the certificate is persisted, the file should be in a mounted volume. \ No newline at end of file