Get SEI-CERT coverage - Extract CERT rules


I know that I can see the list of rules available for each languages here :

Would like to extract CERT rules only to know what Sonar Coverage is regarding this standard. The extract will probably be in EXCEL / CSV format (any other is ok, I can transform it later).

The main objective is to know which of the SEI CERT rules are covered by SonarQube checks.

So I could do it by extracting the rules and the associated “See” section.

I could not find a “coverage matrix” of the SEI CERT for C, CPP and Java. Does it exist ?
The SEI CERT website is not always maintained so I guess Sonar maintain the list of covered rules.

Thanks by advance for your answer/help,


PS : I created a new topic as I did not have any “up to date” answers on the old one here Download SONAR Rules from - Get help / SonarQube - SonarSource Community


Those mapping/coverage reports got killed a while ago.

For building your own reports… we didn’t build the rules site for this type of export so you’re going to end up screen scraping. Another option would be to go directly to the (current) source: our internal RSpec Jira project.


Thanks for your answer,

What a suprise. I do not understand why Sonar does not provide this type of matrix. That is more than useful for many users, especially when talking about security compliance of our code against famous standards (SEI-CERT, MISRA and so on).

Moreover, most of the competitors do provide these type of info, so it makes sense to compare the coverage of the different solutions (including Sonar).

I do not have a clear vision of the Sonar strategy/roadmap regarding security checks, but maybe that is not a priority to comply with standards.

I will not do it manually, because it will be a nightmare to maintain. I guess I can consider that I will never have info for that topic, unfortunately.


Thanks for your feedback. FYI, I’m moving this to the Feature Request category.


1 Like

Thanks, that is a great feature idea. Would be a pleasure to talk about this topic with Sonar teams. I could enter in the details of my company and customers contexts if necessary.

If you go to our Jira RSpec project, you don’t have to build this matrix manually, but can extract it in a semi automated way with the right query…

1 Like

Hi Loïc,

Sorry for the late reply.
I do not really understand how you do it in a semi automated way. If you can be more accurate it could help a lot.

Thanks by advance

Hello @Jix,

The link provided by Ann in her previous message is already a direct link to a query that will list all C rules with the CERT tag. You can then use this list directly, or export it (for instance in XML format), for any purpose you want.

Hope this clarifies?

Oh I did not understood that Jira RSpec contains all the current rules. I’ll check that. Thanks for your answer.

Hi there,

Eventually found the solution. It is possible to gather CERT information and associated Sonar checkers by using the Jira Project- SonarSource posted by @ganncamp.

You can easily extract it in XML and parse the content with a script. FYI, I used python requests with lxml to parse the different XML files for C, CPP and Java. Based on this, I can create an Excel file (thanks to Python Panda) with a Matrix showing which Sonar checker covers which CERT Rule/Reco.

Just to mention that it does not provide an accurate coverage of the SEI-CERT. Indeed, this is not because a checker is associated to a rule that it will always works (false or true positive are possible). Anyway, that is a good starting point to evaluate SEI CERT coverage by Sonar.

The parsing can be done in less than 30 lines of code - it is easy to implement

Thanks to @JolyLoic and @ganncamp and I hope it will help other readers to get these information.

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.