Must-share information (formatted with Markdown):
- which versions are you using (SonarQube Server / Community Build, Scanner, Plugin, and any relevant extension)
- Enterprise Edition v2025.5
- how is SonarQube deployed: zip, Docker, Helm
- Server in a closed network
- what are you trying to achieve
- export any/all Issue(s) that have a Tag.
- what have you tried so far to achieve this
- API calls
I’m a security SME, I am not a developer. Yes, I can automate many of my reporting tasks, but when it comes to SonarQube, I haven’t been able to find, that “one” script that works. When it comes to CWEs, there doesn’t appear to be a single API call that can get all of the tagged CWEs from a project scan. For some reason, SonarQube splits CWE information between Issues and rules. The API can be “issues/search” or “rules/search", making it impossible to get all the information in a single API call, at least as far as I know.
You could use a Phython script, etc… but you have to deal with the page size limitation (ps=500). Presumably, pagination in the script should deal with that. We aren’t having any luck. I guess it’s possible it could be a bug in the build. Pagination does work manually.
The BIG question is, why do we have jump through these hoops. The data is right in front of me. In Issues, I select the cwe tag, and there is all the data I need for each code variant. The problem is, that data cannot easily be extracted, at least I haven’t figured out a way.
This is seriously frustrating. SonarQube does not associate all CWEs with security related issues. Many CWEs are only bugs and/or code_smells. That pretty much renders your security report useless as CWEs are associated with pretty much all of the established security standards. On top of that, coverage is limited on C/C++, maybe other languages as well… They say that will be fixed, I’m still waiting… With all of that, the worse is, I have hundreds of CWEs with all the information I need tagged in one place in the SonarQube UI and I can’t easily extract them (not easily=manually/semi-manually). When I run an API the JSON has over 64k pages and I can only see 500 at a time (that for rules and issues). The python script helps because it combines results from rules and issues, but as stated above, pagination is not working for some reason. Even playing with the API calls to narrow the results is not really helpful, as specified data becomes loses some coherence (that’s the best way I can think to state it). It just makes sense to be able to right click and select export>CSV or some other format that can be easily manipulated, or fix the SonarQube security reports so that “every” CWE makes it’s way to the security report(s).
Hundreds of entries like this:
with no easy way to extract it.
All suggestions are welcome.