Logo
TLCTC
SSDLC Hub
SSDLC Series / Part 3 of 3

Engineering the Bridge: A Technical Guide to SonarQube & TLCTC Integration

In Part 2, we explained why you should integrate TLCTC into your SAST pipeline. In Part 3, we provide the code, the logic, and the standardized enumeration system (TLCTC-XX.YY) to actually build it.

BK
Bernhard Kreinz
Loading...
Series Finale

We began with the roles (Part 1) and explored the strategic value (Part 2). Now, we dive into the engineering details: CWE mappings, plugin architecture, and context-aware logic.

The Engineering Challenge: "What" vs "How"

Static Application Security Testing (SAST) tools like SonarQube speak the language of CWE (Common Weakness Enumeration). This is a dictionary of "what" is wrong (e.g., "Improper Neutralization of Input").

Risk Management speaks the language of TLCTC. This is a taxonomy of "how" and "where" a system is compromised (e.g., "Exploiting Server").

To bridge this gap, we cannot simply map 1-to-1. We need Context-Aware Mapping. A buffer overflow (CWE-120) is not just a bug; it is a potential #2 Exploiting Server event if found in an API, or a #3 Exploiting Client event if found in a browser component.

The TLCTC Enumeration System (TLCTC-XX.YY)

Before writing code, we must establish our data standard. The TLCTC framework uses a structured enumeration system designed for machine readability:

  • TLCTC- prefix ensures proper attribution.
  • XX represents the primary cluster number (01-10).
  • .YY suffix allows for future granular sub-categorization (.00 designates the high-level cluster).
Examples 
TLCTC-02.00  // Exploiting Server (General)
TLCTC-08.00  // Physical Attack (General)
TLCTC-08.01  // Physical Attack (Direct Access Sub-type)

Mapping Logic: The Rules Engine

The core of our integration is a mapping engine. It doesn't just look up IDs; it evaluates context.

Figure 1: Context-Aware Mapping Logic Decision flow
Click to Enlarge
INPUT DECISION BRANCH TLCTC TAG Input: CWE ID e.g. CWE-89, CWE-119 Is Context Dependent? No Yes Direct Map static category from CWE alone Analyze File Path /server · /api · /ui · /client Logic / Design Auth / Creds Resource Mgmt /server, /api /client, /ui #1 ABUSE FN TLCTC-01.00 #4 IDENTITY TLCTC-04.00 #6 FLOODING TLCTC-06.00 #2 SERVER TLCTC-02.00 #3 CLIENT TLCTC-03.00 STATIC · vs · CONTEXT-AWARE Static categories on the left resolve from the CWE alone. Context-dependent categories on the right need a path scan to pick #2 vs. #3.
Visualising the decision flow for dynamic tagging.

Implementation: The SonarQube Plugin

Below is a reference implementation for a custom SonarQube `PostProjectAnalysisTask`. This Java class intercepts the analysis results and applies our mapping logic.

TLCTCIntegrationPlugin.java 
package org.sonarqube.plugins.tlctc;

import org.sonar.api.ce.posttask.PostProjectAnalysisTask;
import java.util.HashMap;
import java.util.Map;

public class TLCTCIntegrationPlugin implements PostProjectAnalysisTask {

    private static final Map CWE_TO_TLCTC_MAP = initializeMapping();

    private static Map initializeMapping() {
        Map mapping = new HashMap<>();
        
        // TLCTC-02.00 Exploiting Server (Default for Injection)
        TlctcCategory serverExploit = new TlctcCategory("TLCTC-02.00", "Exploiting Server", false);
        // TLCTC-03.00 Exploiting Client (XSS)
        TlctcCategory clientExploit = new TlctcCategory("TLCTC-03.00", "Exploiting Client", false);
        
        // 1. Direct Mappings
        mapping.put("CWE-89", serverExploit); // SQL Injection
        mapping.put("CWE-79", clientExploit); // XSS
        mapping.put("CWE-798", new TlctcCategory("TLCTC-04.00", "Identity Theft", false));

        // 2. Context Dependent Mappings (Memory Errors)
        TlctcCategory contextDep = new TlctcCategory("TLCTC-02.00", "Exploiting Server", true);
        mapping.put("CWE-119", contextDep); // Buffer Overflow
        mapping.put("CWE-787", contextDep); // Out-of-bounds Write
        
        return mapping;
    }

    // ... logic to iterate issues and apply DetermineContext() ...
}

Handling Context Dependency

The most critical part of the code is handling the "Context Dependent" flag.

  • Default Mapping: We default memory errors to `TLCTC-02.00` (Server), assuming that backend stability is the primary concern for SAST.
  • Context Override: We inspect the file path. If it contains `/frontend/`, `/ui/`, or references client-side frameworks (e.g., React, compiled WASM), we switch the tag to `TLCTC-03.00`.

Mapping Reference Table

For teams who cannot build a custom plugin, you can start by updating your internal wikis or spreadsheets with this reference mapping.

CWE Category Sample CWEs TLCTC Mapping Rationale
Access Control CWE-285, CWE-639 TLCTC-01.00 Abuse of Functions — logic flaws, not code bugs.
Injection CWE-89, CWE-77 TLCTC-02.00 Exploiting Server — flaw in server-side implementation.
Client-Side CWE-79, CWE-601 TLCTC-03.00 Exploiting Client — flaw executes in the user's agent.
Auth / Secrets CWE-798, CWE-287 TLCTC-04.00 Identity Theft — compromises the “who”, not the “how”.
Memory Errors (context-dep.) CWE-119, CWE-787 TLCTC-02.00 / 03.00 Resolved by file path: server-side → #2, client-side → #3.

Conclusion

Integrating the TLCTC framework with SonarQube bridges the gap between technical findings and strategic risk management. By automating this mapping, you move from "fixing bugs" to "blocking threat clusters."

This concludes our three-part series. We have gone from defining the roles of Programmer vs. Coder, to seeing the strategy in action, to writing the code that automates it. The next step is yours: download the plugin, update your dashboards, and start speaking the language of risk.

References

  1. Kreinz, B. TLCTC White Paper V2.1 — multi-layer notation convention. Read V2.1.
  2. Kreinz, B. TLCTC White Paper V2.1 — clarifications: scope of server vs. client software. Read V2.1.
  3. CWE List, MITRE Corporation. cwe.mitre.org.