Dependency-check discovers the vulnerability and it is reported in SonarQube.
But when I want to retrieve all components who has got this vulnerability I am limited by SonarQube categorizing everything Dependency-check reports as CWE-937. There is no way for me to search for CVE-2021-44228 which is the issue I need to report on. See image below.
What I want is for SonarQube to retreive the CVE that is listed in the vulnerability enabling me to search for exact CVE’s.
Hi @ganncamp and thank you for replying. There is a similar request on the Plugin-repo, but reading that it looks like SonarQube doesn’t allow the use of other CWE’s during runtime analyses?
From the issue:
" This plugin is using only two rules (one with Security Hotspot function and one without). Currently SonarQube does not support overwriting or adding more cwes at runtime.
As far as I know the rules cannot be changed after startup and it is not possible to add suitable rules dynamically.
Please note that CWE-937 applies to all vulnerabilities as described in the official documentation."
Can you verify that it is possible to classify with whichever CWE you want?
Edit:
When looking at the “Rules” in SonarQube, there is a limited number of tags that can be used. This is the issue at hand.
