How can I use ruleset OWASP 2021 in the Sonarcloud

Hello. I want to know how to find a security ruleset of OWASP 2021.

In my Sonarcloud web console, there are security ruleset category (OWASP TOP10, CWE…). The OWASP Top 10 Category is same with OWASP 2017. I want to use ruleset of OWASP 2021.

How can I find the ruleset of OWASP 2021 in my SonarCloud web console?

image382×363 23.4 KB

Template for a good new topic, formatted with Markdown:

• ALM used (GitHub, Bitbucket Cloud, Azure DevOps)
• CI system used (Bitbucket Cloud, Azure DevOps, Travis CI, Circle CI
• Scanner command used when applicable (private details masked)
• Languages of the repository
• Only if the SonarCloud project is public, the URL
  • And if you need help with pull request decoration, then the URL to the PR too
• Error observed (wrap logs/code around with triple quotes ``` for proper formatting)
• Steps to reproduce
• Potential workaround

Do not share screenshots of logs – share the text itself (bonus points for being well-formatted)!

Hello,

Thanks for your patience.

You don’t need to select a precise ruleset to target the OWASP Top 10 2021; Sonar always supports the latest version, which is, as of Dec’24, the 2021 version.
All the security rules (activated by default) are there to detect the latest and most common security risks in your code.

The “Security Category” facet available at the Issues level is outdated, and it’s a leftover that we will drop pretty soon.

image458×486 9.49 KB

If you want to see how your code is exposed to specific risks supported by various security standards, you should look at the Enterprise Plan which provides the expected reporting capabilities supporting:

• PCI DSS 4.0
• OWASP ASVS 4.0
• OWASP Top 10 2021
• CWE Top 25 2023
• STIG ASD_V5R3
• CASA

Regards
Alex

CC: @Chris about the “Security Category” facet