No Owasp top 10 2017 and 2021 violations in code

Hi I am using SonarQube LTS 9.9 Community version. Previously I could see the Owasp top 10, and CWE voilations under the Security category but now there is no such thing though there are security hotspots that are present with the CWE and Owasp tags in them. Is there a setting or config change that i need to do to see these violations?


Welcome to the community!

I still see this on the issues page in 9.9…?



The field are present but there are no issues related to it like no voilations are being shown under these categories. Just hotspost and vulnerabilities are being visible.


Only existing issues will show up here:


If you’re wondering why no issues are raised, that’s a deeper question:

  • What rules are enabled?
  • Are taint analysis rules available? (They start in Developer Edition($))
  • Is analysis configuration or a problem with analysis preventing some issues from being raised?


We are using the default profile sonar way for analysis. The voilations are visible in the security hotspots tab but not under security category. What rules does exactly needs to be enabled for them to be visible under the security category.


We segregate Security issues and Security Hotspots as two separate things. That’s why they show up in two different pages/tabs. You’re not going to see Security Hotspots listed in the security categories on the issues page.


Hi @Utkarsh,

Thank you for this feedback, we will include it in our ongoing discussions.


A post was split to a new topic: Which are security issues and which are security hotspots?