List of supported CWE-Issues from Sonarqube

We would like to check if our source-code has security-problems, which are in a list of CWE-Issues. Is it possible to get a list of CWE-Issues which Sonarqube can detect to compare it with our list of CWE-Issues? Is it possible to check more CWE-Issues than listed on https://rules.sonarsource.com/java/tag/cwe?

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
    Sonarqube 7.9
  • what have you tried so far to achieve this
    Looked at: https://rules.sonarsource.com/java/tag/cwe -> Only 107 Results.

Hello,

I confirm https://rules.sonarsource.com/java/tag/cwe is the list of the Java rules covering a CWE item.
You may think it’s not a lot whereas we believe we cover the most critical CWEs that can be detected by a SAST engine and that could really hurt.

If you are interested about checking your code to find security problems, I suggest you to look at the list of Security Hotspot and Vulnerability rules provided by the Java analyzer.
With these rules and SonarQube 8.4+, you will get a coverage of the OWASP Top 10 and 2019 CWE Top 25 standards.

Can you share what you mentioned as your “list of CWE-Issues”?

Thanks
Alex

Hello Alex,

Thank you for your fast answer.
We need to check these CWE-Issues:

Issues

|CWE ID|CWE Name
|15|External Control of System or Configuration Setting|
|73|External Control of File Name or Path|
|78|Improper Neutralization of Special Elements used in an OS Command (OS Command Injection)|
|80|Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)|
|86|Improper Neutralization of Invalid Characters in Identifiers in Web Pages|
|88|Argument Injection or Modification|
|89|Improper Neutralization of Special Elements used in an SQL Command|
|90|Improper Neutralization of Special Elements used in an LDAP Query |
|91|XML Injection (aka Blind XPath Injection)|
|93|Improper Neutralization of CRLF Sequences (‘CRLF Injection’)|
|94|Improper Control of Generation of Code (‘Code Injection’)|
|95|Improper Neutralization of Directives in Dynamically Evaluated Code (Eval Injection)|
|98|Improper Control of Filename for Include/Require Statement in PHP Program (PHP File Inclusion)|
|99|Improper Control of Resource Identifiers (‘Resource Injection’)|
|103|Struts: Incomplete validate() Method Definition|
|104|Struts: Form Bean Does Not Extend Validation Class|
|111|Direct Use of Unsafe JNI|
|112|Missing XML Validation|
|113|Improper Neutralization of CRLF Sequences in HTTP Headers (‘HTTP Response Splitting’)|
|114|Process Control|
|117|Improper Output Neutralization for Logs|
|121|Stack-Based Buffer Overflow|
|125|Out-of-bounds Read|
|129|Improper Validation of Array Index|
|134|Uncontrolled Format String|
|135|Incorrect Calculation of Multi-Byte String Length|
|170|Improper Null Termination|
|190|Integer Overflow or Wraparound|
|191|Integer Underflow (Wrap or Wraparound)|
|192|Integer Coercion Error|
|193|Off-by-one Error|
|195|Signed to Unsigned Conversion Error|
|196|Unsigned to Signed Conversion Error|
|197|Numeric Truncation Error|
|201|Information Exposure Through Sent Data|
|209|Information Exposure Through an Error Message|
|215|Information Exposure Through Debug Information|
|234|Failure to Handle Missing Parameter|
|242|Use of Inherently Dangerous Function|
|243|Creation of Chroot Jail Without Changing Working Directory|
|245|J2EE Bad Practices: Direct Management of Connections|
|256|Plaintext Storage of a Password|
|259|Use of Hard-coded Password|
|274|Improper Handling of Insufficient Privileges|
|285|Improper Authorization|
|297|Improper Validation of Certificate with Host Mismatch|
|311|Missing Encryption of Sensitive Data|
|312|Cleartext Storage of Sensitive Information|
|313|Cleartext Storage in a File or on Disk [Static and Manual]|
|316|Cleartext Storage of Sensitive Information in Memory|
|321|Use of Hard-coded Cryptographic Key|
|326|Inadequate Encryption Strength|
|327|Use of a Broken or Risky Cryptographic Algorithm|
|329|Not Using a Random IV with CBC Mode|
|331|Insufficient Entropy|
|350|Reliance on Reverse DNS Resolution for a Security-Critical Action|
|352|Cross-Site Request Forgery (CSRF)|
|366|Race Condition within a Thread|
|367|Time-of-check Time-of-use (TOCTOU) Race Condition|
|377|Insecure Temporary File|
|378|Creation of Temporary File With Insecure Permissions|
|382|J2EE Bad Practices: Use of System.exit()|
|384|Session Fixation|
|391|Unchecked Error Condition|
|398|Indicator of Poor Code Quality|
|426|Untrusted Search Path|
|427|Uncontrolled Search Path Element|
|470|Use of Externally-Controlled Input to Select Classes or Code (‘Unsafe Reflection’)|
|494|Download of Code Without Integrity Check|
|497|Exposure of System Data to an Unauthorized Control Sphere|
|498|Cloneable Class Containing Sensitive Information|
|501|Trust Boundary Violation|
|506|Embedded Malicious Code|
|511|Logic/Time Bomb|
|514|Covert Channel|
|522|Insufficiently Protected Credentials |
|557|Concurrency Issues|
|560|Use of umask() with chmod-style Argument|
|564|SQL Injection: Hibernate|
|601|URL Redirection to Untrusted Site (‘Open Redirect’) |
|611|Information Leak Through XML External Entity File Disclosure|
|614|Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute|
|639|Authorization Bypass Through User-Controlled Key |
|656|Reliance on Security Through Obscurity|
|668|Exposure of Resource to Wrong Sphere|
|675|Duplicate Operations on Resource|
|708|Incorrect Ownership Assignment|
|732|Incorrect Permission Assignment for Critical Resource|
|780|Use of RSA Algorithm without OAEP|
|798|Use of Hard-coded Credentials|
|829|Inclusion of Functionality from Untrusted Control Sphere|
|915|Improperly Controlled Modification of Dynamically-Determined Object Attributes|

Thanks
Gabriel