Extracting OWASP mappings

  • Using sonarqube version 9.2.4.50792
  • I am trying to extract owasp mapping to try and see how the vulnerabilities are mapped with the OWASP categories
  • Cant find a way to extract the mappings after having gone through the documentation and the dashboard.

Hey there.

You can filter in the Rules UI to a specific OWASP category.

If you need to export this information you can use the GET api/rules/search Web API and the owaspTop10 query parameter.

//// https://next.sonarqube.com/sonarqube/api/rules/search?owaspTop10=a1
{
   "total":99,
   "p":1,
   "ps":100,
   "rules":[
      {
         "key":"python:S2077",
         "repo":"python",
         "name":"Formatting SQL queries is security-sensitive",
         "createdAt":"2019-03-11T09:09:29+0000",
         "htmlDesc":"\u003cp\u003eFormatted SQL queries can be difficult to maintain, debug and can increase the risk of SQL injection when concatenating untrusted values into the\nquery. However, this rule doesn’t detect SQL injections (unlike rule \u003ca href\u003d\u0027/sonarqube/coding_rules#rule_key\u003dpython%3AS3649\u0027\u003eS3649\u003c/a\u003e), the goal is only to highlight complex/formatted\nqueries.\u003c/p\u003e\n\u003ch2\u003eAsk Yourself Whether\u003c/h2\u003e\n\u003cul\u003e\n  \u003cli\u003e Some parts of the query come from untrusted values (like user inputs). \u003c/li\u003e\n  \u003cli\u003e The query is repeated/duplicated in other parts of the code. \u003c/li\u003e\n  \u003cli\u003e The application must support different types of relational databases. \u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eThere is a risk if you answered yes to any of those questions.\u003c/p\u003e\n\u003ch2\u003eRecommended Secure Coding Practices\u003c/h2\u003e\n\u003cul\u003e\n  \u003cli\u003e Use \u003ca href\u003d\"https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet\"\u003eparameterized queries, prepared statements, or stored\n  procedures\u003c/a\u003e and bind variables to SQL query parameters. \u003c/li\u003e\n  \u003cli\u003e Consider using ORM frameworks if there is a need to have an abstract layer to access data. \u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003eSensitive Code Example\u003c/h2\u003e\n\u003cpre\u003e\nfrom django.db import models\nfrom django.db import connection\nfrom django.db import connections\nfrom django.db.models.expressions import RawSQL\n\nvalue \u003d input()\n\n\nclass MyUser(models.Model):\n    name \u003d models.CharField(max_length\u003d200)\n\n\ndef query_my_user(request, params, value):\n    with connection.cursor() as cursor:\n        cursor.execute(\"{0}\".format(value))  # Sensitive\n\n    # https://docs.djangoproject.com/en/2.1/ref/models/expressions/#raw-sql-expressions\n\n    RawSQL(\"select col from %s where mycol \u003d %s and othercol \u003d \" + value, (\"test\",))  # Sensitive\n\n    # https://docs.djangoproject.com/en/2.1/ref/models/querysets/#extra\n\n    MyUser.objects.extra(\n        select\u003d{\n            \u0027mycol\u0027:  \"select col from sometable here mycol \u003d %s and othercol \u003d \" + value}, # Sensitive\n           select_params\u003d(someparam,),\n        },\n    )\n\u003c/pre\u003e\n\u003ch2\u003eCompliant Solution\u003c/h2\u003e\n\u003cpre\u003e\ncursor \u003d connection.cursor(prepared\u003dTrue)\nsql_insert_query \u003d \"\"\" select col from sometable here mycol \u003d %s and othercol \u003d %s \"\"\"\n\nselect_tuple \u003d (1, value)\n\ncursor.execute(sql_insert_query, select_tuple) # Compliant, the query is parameterized\nconnection.commit()\n\u003c/pre\u003e\n\u003ch2\u003eSee\u003c/h2\u003e\n\u003cul\u003e\n  \u003cli\u003e \u003ca href\u003d\"https://owasp.org/Top10/A03_2021-Injection/\"\u003eOWASP Top 10 2021 Category A3\u003c/a\u003e - Injection \u003c/li\u003e\n  \u003cli\u003e \u003ca href\u003d\"https://www.owasp.org/index.php/Top_10-2017_A1-Injection\"\u003eOWASP Top 10 2017 Category A1\u003c/a\u003e - Injection \u003c/li\u003e\n  \u003cli\u003e \u003ca href\u003d\"https://cwe.mitre.org/data/definitions/89.html\"\u003eMITRE, CWE-89\u003c/a\u003e - Improper Neutralization of Special Elements used in an SQL Command\n  \u003c/li\u003e\n  \u003cli\u003e \u003ca href\u003d\"https://cwe.mitre.org/data/definitions/564.html\"\u003eMITRE, CWE-564\u003c/a\u003e - SQL Injection: Hibernate \u003c/li\u003e\n  \u003cli\u003e \u003ca href\u003d\"https://cwe.mitre.org/data/definitions/20.html\"\u003eMITRE, CWE-20\u003c/a\u003e - Improper Input Validation \u003c/li\u003e\n  \u003cli\u003e \u003ca href\u003d\"https://cwe.mitre.org/data/definitions/943.html\"\u003eMITRE, CWE-943\u003c/a\u003e - Improper Neutralization of Special Elements in Data Query Logic\n  \u003c/li\u003e\n  \u003cli\u003e \u003ca href\u003d\"https://www.sans.org/top25-software-errors/#cat1\"\u003eSANS Top 25\u003c/a\u003e - Insecure Interaction Between Components \u003c/li\u003e\n  \u003cli\u003e Derived from FindSecBugs rules \u003ca href\u003d\"https://h3xstream.github.io/find-sec-bugs/bugs.htm#SQL_INJECTION_JPA\"\u003ePotential SQL/JPQL Injection\n  (JPA)\u003c/a\u003e, \u003ca href\u003d\"https://h3xstream.github.io/find-sec-bugs/bugs.htm#SQL_INJECTION_JDO\"\u003ePotential SQL/JDOQL Injection (JDO)\u003c/a\u003e, \u003ca\n  href\u003d\"https://h3xstream.github.io/find-sec-bugs/bugs.htm#SQL_INJECTION_HIBERNATE\"\u003ePotential SQL/HQL Injection (Hibernate)\u003c/a\u003e \u003c/li\u003e\n\u003c/ul\u003e",
         "mdDesc":"\u003cp\u003eFormatted SQL queries can be difficult to maintain, debug and can increase the risk of SQL injection when concatenating untrusted values into the\nquery. However, this rule doesn’t detect SQL injections (unlike rule {rule:python:S3649}), the goal is only to highlight complex/formatted\nqueries.\u003c/p\u003e\n\u003ch2\u003eAsk Yourself Whether\u003c/h2\u003e\n\u003cul\u003e\n  \u003cli\u003e Some parts of the query come from untrusted values (like user inputs). \u003c/li\u003e\n  \u003cli\u003e The query is repeated/duplicated in other parts of the code. \u003c/li\u003e\n  \u003cli\u003e The application must support different types of relational databases. \u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eThere is a risk if you answered yes to any of those questions.\u003c/p\u003e\n\u003ch2\u003eRecommended Secure Coding Practices\u003c/h2\u003e\n\u003cul\u003e\n  \u003cli\u003e Use \u003ca href\u003d\"https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet\"\u003eparameterized queries, prepared statements, or stored\n  procedures\u003c/a\u003e and bind variables to SQL query parameters. \u003c/li\u003e\n  \u003cli\u003e Consider using ORM frameworks if there is a need to have an abstract layer to access data. \u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003eSensitive Code Example\u003c/h2\u003e\n\u003cpre\u003e\nfrom django.db import models\nfrom django.db import connection\nfrom django.db import connections\nfrom django.db.models.expressions import RawSQL\n\nvalue \u003d input()\n\n\nclass MyUser(models.Model):\n    name \u003d models.CharField(max_length\u003d200)\n\n\ndef query_my_user(request, params, value):\n    with connection.cursor() as cursor:\n        cursor.execute(\"{0}\".format(value))  # Sensitive\n\n    # https://docs.djangoproject.com/en/2.1/ref/models/expressions/#raw-sql-expressions\n\n    RawSQL(\"select col from %s where mycol \u003d %s and othercol \u003d \" + value, (\"test\",))  # Sensitive\n\n    # https://docs.djangoproject.com/en/2.1/ref/models/querysets/#extra\n\n    MyUser.objects.extra(\n        select\u003d{\n            \u0027mycol\u0027:  \"select col from sometable here mycol \u003d %s and othercol \u003d \" + value}, # Sensitive\n           select_params\u003d(someparam,),\n        },\n    )\n\u003c/pre\u003e\n\u003ch2\u003eCompliant Solution\u003c/h2\u003e\n\u003cpre\u003e\ncursor \u003d connection.cursor(prepared\u003dTrue)\nsql_insert_query \u003d \"\"\" select col from sometable here mycol \u003d %s and othercol \u003d %s \"\"\"\n\nselect_tuple \u003d (1, value)\n\ncursor.execute(sql_insert_query, select_tuple) # Compliant, the query is parameterized\nconnection.commit()\n\u003c/pre\u003e\n\u003ch2\u003eSee\u003c/h2\u003e\n\u003cul\u003e\n  \u003cli\u003e \u003ca href\u003d\"https://owasp.org/Top10/A03_2021-Injection/\"\u003eOWASP Top 10 2021 Category A3\u003c/a\u003e - Injection \u003c/li\u003e\n  \u003cli\u003e \u003ca href\u003d\"https://www.owasp.org/index.php/Top_10-2017_A1-Injection\"\u003eOWASP Top 10 2017 Category A1\u003c/a\u003e - Injection \u003c/li\u003e\n  \u003cli\u003e \u003ca href\u003d\"https://cwe.mitre.org/data/definitions/89.html\"\u003eMITRE, CWE-89\u003c/a\u003e - Improper Neutralization of Special Elements used in an SQL Command\n  \u003c/li\u003e\n  \u003cli\u003e \u003ca href\u003d\"https://cwe.mitre.org/data/definitions/564.html\"\u003eMITRE, CWE-564\u003c/a\u003e - SQL Injection: Hibernate \u003c/li\u003e\n  \u003cli\u003e \u003ca href\u003d\"https://cwe.mitre.org/data/definitions/20.html\"\u003eMITRE, CWE-20\u003c/a\u003e - Improper Input Validation \u003c/li\u003e\n  \u003cli\u003e \u003ca href\u003d\"https://cwe.mitre.org/data/definitions/943.html\"\u003eMITRE, CWE-943\u003c/a\u003e - Improper Neutralization of Special Elements in Data Query Logic\n  \u003c/li\u003e\n  \u003cli\u003e \u003ca href\u003d\"https://www.sans.org/top25-software-errors/#cat1\"\u003eSANS Top 25\u003c/a\u003e - Insecure Interaction Between Components \u003c/li\u003e\n  \u003cli\u003e Derived from FindSecBugs rules \u003ca href\u003d\"https://h3xstream.github.io/find-sec-bugs/bugs.htm#SQL_INJECTION_JPA\"\u003ePotential SQL/JPQL Injection\n  (JPA)\u003c/a\u003e, \u003ca href\u003d\"https://h3xstream.github.io/find-sec-bugs/bugs.htm#SQL_INJECTION_JDO\"\u003ePotential SQL/JDOQL Injection (JDO)\u003c/a\u003e, \u003ca\n  href\u003d\"https://h3xstream.github.io/find-sec-bugs/bugs.htm#SQL_INJECTION_HIBERNATE\"\u003ePotential SQL/HQL Injection (Hibernate)\u003c/a\u003e \u003c/li\u003e\n\u003c/ul\u003e",
         "severity":"MAJOR",
         "status":"READY",
         "isTemplate":false,
         "tags":[
            
         ],
.....
1 Like