How to update the new rules in OWASP TOP 10 2021 SonarQube?

Hi, I´m have the next question: When would the new OWASP TOP 10 2021 rules in sonarqube be updated?. In the documentation of OWASP exist the new rules in last release : OWASP Top 10:2021


Excellent question! We were just talking about that internally the other day. There are actually multiple pieces of this on our side, which will be working on in the next couple versions. You should see it in 9.4. E.T.A…? ~March 2022.


1 Like


I think it’s important to understand what is new in the OWASP Top 10 2021.
There are no new rules. What is new is the grouping into 10 high-level categories of already identified and existing vulnerabilities detected by SAST vendors or security researchers.
The guys from OWASP took the vulnerabilities lists contributed by SAST vendors or security researchers which are mapped to CWEs, to finally group 196 CWEs into 10 high-level categories.

We did the effort to review the 196 CWEs and determined that 33% of them can’t be detected automatically by SAST technologies. In the end for us, it’s “only” 130 CWEs for which we could potentially implement a rule. As of now, with the existing rules provided by SonarQube 9.1+, we cover approximately half of these 130 CWEs.


Hi, Ms Ann

Thanks for your answer, I will hope the update in the nexts releases

Hey @ganncamp, just checking in on the release of 9.4 (OWASP TOP 10 2021 support). Looks like we may be looking to early Q2?

Hi @kirkpabk,

Technically, yes. Very early. Technical (internal) release is scheduled for Friday the 1st with public release / announcement on Monday the 4th.