Ability to search by CWE/CERT ids


(Ankur) #1

I am using SonarQube 6.7.4 and having a hard time finding out the CWE rules which are detectable through SonarQube.

Search under Rules does not show anything, while “cwe” as a tag displays all CWE rules, but to check for CWE ids, I will have to open every single rule from the list.

One example - “NullPointerException” should not be caught - refers to CWE-395, and I can see the linkage when I open the rule, but I would like to search by the id directly (CWE-395) to save time.

Similar feature is already available for OWASP top 10 vulnerabilities. Under tags, I can type owasp-a1 or owasp-a2 to see rules directly related to them. Similar search capability for CWE ids (e.g. CWE-395, CWE-89) or even for CERT rules (e.g. EXP03-J, EXP50-J) would be a great value add.


(G Ann Campbell) #2

Hi,

Have you tried doing a text search? That should bring back what you’re looking for since every CWE-related rule has the relevant CWE id in the description text.

 
Ann


(Ankur) #3

Thanks. Searching CWE id as text works.
Just a bit inconsistent though, as what works for CWE id search does not work for OWASP, and vice versa.
CWE id (e.g. CWE-582) should be searched as a “text” rather than “tag”, while
OWASP top 10 id (e.g. owasp-a3) should be searched as a “tag” rather than “text”.


(G Ann Campbell) #4

Hi,

Mmmm… let’s say instead "while OWASP Top 10 can be searched as either.

 
Ann


(Ankur) #5

Nope…searching “owasp-a1” as a text does not return anything…


(G Ann Campbell) #6

Hi,

Try searching “OWASP A1”

 
Ann


(Ankur) #7

yes, this works :+1: