Are all security rules such as SQL injection included in all editions of Sonarqube?

• Community Edition Version 8.9.6 (build 50800)
• Trying to compare which security rules can the community edition pick up but it is all very vague?
• Does the developer edition and up include all the rules from CWE?

Hey there.

Rules which involve “taint analysis” (tracking the flow of user-controlled data) are available only in Developer Edition and above. Hopefully it’s made clear on this page – and if not, let us know what’s confusing so we can consider your feedback!

Hi thanks for the reply,
so just to be clear, the rules I see under my Sonarqube as shown below ( or under the rules tab in our Sonarqube webpage), how do those rules work? How do those rules compare to the ones in developer edition and above?

image265×695 13 KB

The additional rules available in Developer Edition and above do a deeper analysis by detecting the flow of data from its source to where that data is ultimately used (to make sure it has been sanitized and safe to use)-- while the rules in Community Edition, while valuable, detect less complex vulnerabilities.

For a given language, you can find the additional rules that are available in DE+ by checking the “injection” tag on rules.sonarsource.com, such as for Java

Thank you Colin so much for your help.