(Enterprise 10.4) Sonarqube OWASP top 10 shows different values in API response compared to UI

Must-share information (formatted with Markdown):

• Sonarqube Enterprise 10.4

• Azure Pipelines

• Get OWASP Top 10 result via API for a portfolio
  https://sonarqubeurl.abc/api/issues/search?componentKeys=Com_Discovery_Abc&facets=owaspTop10-2021&owaspTop10-2021=a1,a2,a3,a4,a5,a6,a7,a8,a9,a10

• We get an API response but the results are different than what we see in the UI for that portfolio. We need to query this via API for our internal reporting, but the result is unreliable due to different values in the UI.
  We tried this with Postman call.

API: https://sonarqubeurl.abc/api/issues/search?componentKeys=Com_Discovery_Abc&facets=owaspTop10-2021&owaspTop10-2021=a1,a2,a3,a4,a5,a6,a7,a8,a9,a10

Result output:
{‘a7’: 14, ‘a3’: 4, ‘a9’: 4, ‘a1’: 0, ‘a2’: 0, ‘a4’: 0, ‘a5’: 0, ‘a6’: 0, ‘a8’: 0, ‘a10’: 0}
{‘a3’: 1, ‘a1’: 0, ‘a2’: 0, ‘a4’: 0, ‘a5’: 0, ‘a6’: 0, ‘a7’: 0, ‘a8’: 0, ‘a9’: 0, ‘a10’: 0}
{‘a9’: 42, ‘a8’: 39, ‘a7’: 34, ‘a3’: 13, ‘a2’: 7, ‘a1’: 2, ‘a5’: 1, ‘a4’: 0, ‘a6’: 0, ‘a10’: 0}
{‘a3’: 14, ‘a9’: 14, ‘a7’: 3, ‘a1’: 0, ‘a2’: 0, ‘a4’: 0, ‘a5’: 0, ‘a6’: 0, ‘a8’: 0, ‘a10’: 0}
{‘a3’: 7, ‘a9’: 7, ‘a5’: 6, ‘a2’: 2, ‘a7’: 2, ‘a10’: 1, ‘a1’: 0, ‘a4’: 0, ‘a6’: 0, ‘a8’: 0}
{‘a7’: 8, ‘a1’: 0, ‘a2’: 0, ‘a3’: 0, ‘a4’: 0, ‘a5’: 0, ‘a6’: 0, ‘a8’: 0, ‘a9’: 0, ‘a10’: 0}

Screenshot is attached for the UI result.

owasp-sample1131×685 43.1 KB

It gives security vulnerabilities values on portfolio but those don’t match with sonarqube UI. This is a blocker for us.

Hi,

The best way to master the API is to perform the desired action via the UI and eavesdrop to see which calls the UI made to accomplish the action.

In your case, it looks like you’re comparing the results of a call that’s generally used on the Issues page with the results of a Security Report. So I started on the Issues page to see the version of the query that the UI uses:

https://next.sonarqube.com/sonarqube/api/issues/search?components=MASTER_PROJECT&s=FILE_LINE&issueStatuses=CONFIRMED%2COPEN&ps=1&facets=owaspTop10-2021&additionalFields=_all&timeZone=America%2FKentucky%2FMonticello

There’s a lot more in my URL than in yours, so I started whittling it down, argument by argument, to see what made the difference. I never did get down to an array of arrays, like you show in your “Result output”. It was only every one set of owaspTop10-2021 values, and always in alpha-numerical order.

But I did find a key difference. You see, my API call results always matched what shows up in the security report until I removed this argument:

&issueStatuses=CONFIRMED%2COPEN

Then the numbers jumped because they suddenly included all the False Positive and Won’t Fix issues.

That’s probably what’s going on for you, as well.

 
HTH,
Ann

You may also find this guide helpful.