Over the past few weeks, I was trying to find a way of automating tests for Cross Site Scripting attacks using RefApp 2.x. Because the system has very many input-fields, it was really tiresome to manually search for XSS and then create automation scripts following E2E based workflow for each and every input in the system. Honestly speaking, it might take some good weeks to manually check all input-fields, and write selenium scripts to automatically test for each input-element. Though manually checking for XSS is the most effective option, for a big system like OMRS, it feels like a duplication of efforts.
Since ZAP exposed its API for use, we would just create a one selenium script that passes data to ZAP for security scanning. Zap results can then be used by the security team.
This approach indirectly gives the QA team the security scanning role.
Sonarqube : This tool provides code analysis features and code security functions.
Openmrs has implemented sonarqube in the openmrs-core module. But however, it is always failing.
The sonarqube version used in OpenMRS is 6.7 which is far outdated compared to the 9.1(latest)
Sonarqube has ability to test for XSS since version 8.4 but I am not sure if the community edition offers such services/rules.
I found out all this from the meeting with @elder16 and discussions with @isears and @sharif. As far as I know, if our goal is automating XSS tests, ZAP is more of a bomb, but, however, since Sonarqube provides code analysis features, I think it would be the best option.
Questions and resolutions
Is there any other tool that simplifies security automations?
Who is the best person to reach out on issues concerning OpenMRS’ Sonar?
Do you have any opinion, suggestion, recommendation?
I agree with this. From past experience with ZAP, there tend to be a lot of false-positives. I think that comes from the fact that ZAP was originally built as a pentesting tool (not great for automated QA). Sonarqube seems to be a much better fit for QA.
Thanks @jnsereko for continuing to work on security issues. It’s great to see former GSoC students stick with us!
This needs some consideration, at least if we plan on running this on more than just core (and we definitely should since our more discoverable issues often originate outside of core). The problem is that while core can be run on 11, we’re still building everything targetting Java 8 and most modules only support Java 8, due to the need to remain backwards compatible with older versions of OpenMRS.
I actually tried a newer version of Sonar with the FHIR2 module earlier today and that didn’t work out. There may be a way around this, but it’s something to look into.
I’ve advocated this before, but I think we should look into sonarcloud rather than maintaining our own instance. It’s free for open source projects and would be one less thing we need to maintain or keep up-to-date.
A little digging on this and it would be quite challenging to upgrade our Sonar instance, primarily because we use a MySQL database for our current install and Sonar have dropped support for Sonar in more recent versions. They used to have a migrator tool, which maybe could be used, but that’s starting to sound like a lot of work: Sonar 6 → Sonar 7 running on Postgres → Sonar 8 → Sonar 9 following Sonar’s recommended upgrade path. Of course, we could always start from scratch.
In any case, the main thing we need, I think, is someone with the time to work through the issues and come up with a solution that will work.
I’m certainly in favour of Sonar since we get more than just security analysis out of it.
@grace suggested that we first try it out in core, if it works out right, we find ways of migrating it to other modules. If core supports Java 11, then we are good for the start.
In the QA meeting Joshua asked if anyone knew of anything other than sonarcloud. OWASP has a whole list of Source Code Analysis tools like SonarQube/Cloud: https://owasp.org/www-community/Source_Code_Analysis_Tools. It looks like the “license” column indicates which ones have some sort of “free” version. I’m aware of Coverity Scan through my advisor’s connections, but there may be others that are better.
