Addition to OWASP top 10 rule sets

Currently sonarcloud scans for OWASP top 10 and SANS top 25 vulnerabilities. There are a few others that would we would like the code to have scanned against. Is there a way to add more vulnerabilities to this list?


Hello Pradeep, sorry for the long delay. Could you elaborate what you mean? Thanks! We do cover CWEs that are not part of OWASP Top 10 or SANS TOP 25.

Hello Hendrik,

The below link has a big list of vulnerabilities. Is there a way to include some of these that are outside of the OWASP top 10?

@CWE - I see that we have 10 rules covered…


Hello Pradeep,

many of these vulnerabilities are covered, even if they are not part of OWASP Top 10. There are currently 112 Java rules that have the CWE tag:

To illustrate I have taken the first few entries and commented them:

Some of these vulnerabilities can not be covered by static analysis (e.g. if they happen outside of your code) but most of them are already covered. Does that help?

Best regards,

Thanks Hendrik… this helps…

Great, I am glad to here that! Of course we have not stopped adding new vulnerabilities, so in the future more and more will be covered (when it is possible).

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.