How dose SonarQube get updates for current CWA, OWASP Top 10 and SANS Top 25 entries?

Currently using SonarQube 8.0, sonar-scanner-cli-4.2 on windows (but this is more of an general question).

Im a student currently writing a thesis about SAST tools. Im interestend how SonarQube is keeping itself up to date with new CWA entries, future OWASP and SANS Top listings.

  • Dose the SonarQube server get regular updates, in regard to the above, that do not consist of upgrading to a next version?
  • If yes, how are they distributed?
  • Dose my SonarQube instance need an internet connection to recieve them or are manual installations possible?
  • Which OWASP Top 10 version is currently supported?
  • Which SANS Top 25 version is currently supported?
  • Up until which CWA entrie dose SonarQube check for?

I tried to find relevant information about this in the docs but could not find any.
I am sorry if this is the wrong place to ask this!

Thank you.

(Excuse me for any gramatical errors. English is not my mother tongue.)

Hello @Antonio_Lombardi,

You need to update the analyzers to get the latest version of our rules. This can be easily done from the Marketplace.
If you are talking about the Injection Flaws rules coming with SonarQube Developer Edition (SQLi, Command Injection, …), you need to upgrade SonarQube itself to get updates.

Today, we support OWASP Top 10 2017 and SANS Top 25 (the latest version was released in 2011).
We are planning to replace SANS Top 25 by CWE Top 25 and once a new version of the OWASP Top 10 will be released, we will do our best to support it.


When is this planned for? I am looking at my Portfolio Report in 8.4.2 and it still has SANS Top 25.


This should be available by end of 2020.


1 Like