I’m seeking insights into how SonarQube Community Edition determines the severity of vulnerabilities as High, Medium, or Low. Specifically, I’m interested in understanding if there is a fixed algorithm or method that SonarQube uses for this classification.
Key Questions:
- Rating Algorithm: Does SonarQube employ a specific algorithm or method to rate vulnerabilities? If so, what is it?
- Rating Methodology: What factors or criteria does SonarQube consider when assigning severity levels to vulnerabilities?
- Official Endorsement: Is there any official documentation or endorsement from SonarQube that explains their rating process in detail?
- CWE/CVE Correlation: Can the severity ratings in SonarQube be directly mapped or correlated with the official vulnerability databases like CWE (Common Weakness Enumeration) or CVE (Common Vulnerabilities and Exposures)?
From the information available on SonarQube’s official website, it is stated that the old severity feature is deprecated and the severity of an issue is now tied to the software qualities impacted (see Clean Code). There are three levels of severity:
- High: Issues that could significantly impact the application’s behavior in production or represent a security flaw. Examples include memory leaks, unclosed JDBC connections, empty catch blocks, or SQL injections. These issues should be reviewed as a top priority.
- Medium: Quality flaws that can highly impact the developer’s productivity. Examples include uncovered pieces of code, duplicated blocks, or unused parameters.
- Low: Quality flaws that slightly impact the developer’s productivity. Examples include excessively long lines or “switch” statements with fewer than three cases. This level also includes issues that are neither bugs nor quality flaws, just findings.
However, the official information does not provide a detailed explanation of the specific rating method or algorithm used. I have attempted to find more detailed explanations or algorithms but have not found comprehensive answers yet.
If anyone has experience or official references on this topic, please share your insights. Understanding this can greatly help in better assessing and managing the security issues identified by SonarQube in our projects.
Thank you!