How to update cwe rules

i wonder how cwe vulnerability database is being updated at sonarqube.

We are using Sonarqube Developer Edition Version 8.2 (build 32929) wich has rules like:

@RequestMapping" methods should specify HTTP method *Available Since Mar 15, 2021* SonarAnalyzer (Java)

We have this plugin installed:
Java Code Quality and Security
Code Analyzer for Java 6.3.2 (build 22818)

But that 6.3.2 release has been released at 20th July 2020

How can it have rules from March 2021 if plugin is older?

Is there some kind of internal mechanism that always updates the cwes database instead of the plugin version/date? I had always thought that in order to update the rules I must update the sonar version.

On the other hand, I have tried to analyze with sonar vulnerabilities like this one:

But I don’t get the vulnerability in the scan.

That’s why I wonder how to update the cwes database.


Your version is past EOL. You should upgrade to either the latest version or the current LTS at your earliest convenience. Your upgrade path is:

8.2 → 8.9.10 → 9.8 (last step optional)

(Note that the release of a new LTS, 9.9, is expected on 7 Feb 2023.)

You may find the Upgrade Guide and the LTS-to-LTS Upgrade Notes helpful. If you have questions about upgrading, feel free to open a new thread for that here.

Yes, this is true and you’re quite a ways behind.


This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.