Are all security rules such as SQL injection included in all editions of Sonarqube?

  • Community Edition Version 8.9.6 (build 50800)
  • Trying to compare which security rules can the community edition pick up but it is all very vague?
  • Does the developer edition and up include all the rules from CWE?

Hey there.

Rules which involve “taint analysis” (tracking the flow of user-controlled data) are available only in Developer Edition and above. Hopefully it’s made clear on this page – and if not, let us know what’s confusing so we can consider your feedback!

1 Like

Hi thanks for the reply,
so just to be clear, the rules I see under my Sonarqube as shown below ( or under the rules tab in our Sonarqube webpage), how do those rules work? How do those rules compare to the ones in developer edition and above?

The additional rules available in Developer Edition and above do a deeper analysis by detecting the flow of data from its source to where that data is ultimately used (to make sure it has been sanitized and safe to use)-- while the rules in Community Edition, while valuable, detect less complex vulnerabilities.

For a given language, you can find the additional rules that are available in DE+ by checking the “injection” tag on, such as for Java

Thank you Colin so much for your help.