OWASP ASVS requirements validated by SonarQube in the Security Report

suddi · September 12, 2024, 3:58pm

Hi,

We are running SonarQube Enterprise Edition v10.6 and generating the OWASP ASVS Security Report for our projects.

SonarQube provides a clean report for ASVS, but could I understand which requirements (eg. 1.4.4, 13.2.5 etc.) of the ASVS standard is scanned by SonarQube?

There are many requirements in ASVS that would not be programmatically scannable, eg. from ASVS v4.0.3:

4.1.3 - Verify that the principle of least privilege exists - users should only be able to access functions, data files, URLs, controllers, services, and other resources, for which they possess specific authorization. This implies protection against spoofing and elevation of privilege.
6.1.1 - Verify that regulated private data is stored encrypted while at rest, such as Personally Identifiable Information (PII), sensitive personal information, or data assessed likely to be subject to EU’s GDPR.
7.1.4 - Verify that each log event includes necessary information that would allow for a detailed investigation of the timeline when an event happens.

It would be good to have this list to understand where we can rely on SonarQube and where manual review is needed.

Thank you!

Alexandre_Gigleux · September 19, 2024, 2:18pm

Hello,

You are totally right that Sonar doesn’t cover all the requirements of the OWASP ASVS V4. This is because many of these requirements can’t be statically checked at the code level.

We followed this principle when building this feature. Each requirement is mapped to a CWE in the ASVS document.
We extracted from the document all the CWEs covered by Sonar. Each time there is a rule/issue that matches one of the CWEs, we know which ASVS requirement is not fulfilled and so we count the corresponding issues in the ASVS report.

Here is the mapping between CWEs covered by Sonar and ASVS:

{
    "1002": [
        "14.2.2"
    ],
    "1004": [
        "3.4.2"
    ],
    "1009": [
        "1.7.1"
    ],
    "1021": [
        "14.4.3",
        "14.4.7"
    ],
    "1026": [
        "14.2.1"
    ],
    "1029": [
        "1.5.1"
    ],
    "1053": [
        "1.1.2"
    ],
    "1059": [
        "1.1.4",
        "1.1.5"
    ],
    "1104": [
        "1.14.3"
    ],
    "1110": [
        "1.1.3"
    ],
    "116": [
        "1.5.4",
        "5.2.1",
        "5.3.1",
        "13.1.1",
        "14.4.2",
        "14.4.4",
        "14.4.6"
    ],
    "117": [
        "7.3.1",
        "7.3.2"
    ],
    "120": [
        "5.4.1",
        "14.1.2"
    ],
    "134": [
        "5.4.2"
    ],
    "138": [
        "5.2.2"
    ],
    "147": [
        "5.2.3"
    ],
    "159": [
        "5.2.7"
    ],
    "16": [
        "2.5.4",
        "3.4.3",
        "3.4.4",
        "3.4.5",
        "10.3.1",
        "14.1.3"
    ],
    "173": [
        "14.4.1"
    ],
    "176": [
        "5.3.2"
    ],
    "190": [
        "5.4.3"
    ],
    "19": [
        "8.1.5",
        "8.1.6"
    ],
    "20": [
        "5.1.3",
        "5.1.4"
    ],
    "22": [
        "12.3.1"
    ],
    "210": [
        "7.4.1",
        "8.3.2"
    ],
    "226": [
        "8.3.6"
    ],
    "233": [
        "8.1.3"
    ],
    "235": [
        "5.1.1"
    ],
    "245": [
        "13.2.6",
        "13.3.2"
    ],
    "255": [
        "2.10.2"
    ],
    "256": [
        "2.10.3"
    ],
    "263": [
        "2.1.10"
    ],
    "265": [
        "1.14.5",
        "14.2.6"
    ],
    "272": [
        "10.2.2"
    ],
    "284": [
        "4.1.1",
        "4.1.2"
    ],
    "285": [
        "4.1.3",
        "4.1.5"
    ],
    "290": [
        "3.5.1"
    ],
    "295": [
        "1.9.2",
        "9.2.1"
    ],
    "299": [
        "9.2.4"
    ],
    "304": [
        "2.2.2"
    ],
    "306": [
        "14.5.4"
    ],
    "307": [
        "2.2.1"
    ],
    "308": [
        "2.2.4",
        "2.2.6",
        "2.2.7",
        "2.3.2",
        "2.5.7",
        "2.6.1",
        "2.8.7"
    ],
    "310": [
        "6.2.1",
        "2.6.3",
        "2.7.6"
    ],
    "311": [
        "6.1.1",
        "6.1.2",
        "6.1.3"
    ],
    "319": [
        "1.9.1",
        "9.1.1",
        "9.2.2"
    ],
    "320": [
        "1.6.1",
        "1.6.2",
        "1.6.3",
        "1.6.4",
        "2.8.2",
        "2.9.1",
        "6.4.2"
    ],
    "326": [
        "2.8.3",
        "6.2.3",
        "6.2.4",
        "6.2.5",
        "6.2.6",
        "6.2.7",
        "9.1.2",
        "9.1.3"
    ],
    "327": [
        "2.9.3",
        "6.2.2",
        "8.3.7"
    ],
    "330": [
        "2.3.1",
        "2.6.2",
        "2.9.2"
    ],
    "331": [
        "3.2.2",
        "3.2.4"
    ],
    "338": [
        "6.3.1",
        "6.3.2",
        "6.3.3"
    ],
    "345": [
        "3.5.3"
    ],
    "346": [
        "14.5.2",
        "14.5.3"
    ],
    "350": [
        "10.3.3"
    ],
    "352": [
        "4.2.2",
        "13.2.3"
    ],
    "353": [
        "10.3.2"
    ],
    "359": [
        "10.2.1"
    ],
    "367": [
        "11.1.6"
    ],
    "384": [
        "3.2.1"
    ],
    "385": [
        "6.2.8"
    ],
    "390": [
        "11.1.8"
    ],
    "400": [
        "12.1.1"
    ],
    "409": [
        "12.1.2"
    ],
    "419": [
        "4.3.1"
    ],
    "431": [
        "7.4.3"
    ],
    "434": [
        "12.2.1",
        "12.5.2",
        "13.1.5"
    ],
    "436": [
        "13.2.5"
    ],
    "477": [
        "1.14.6"
    ],
    "494": [
        "1.14.2"
    ],
    "497": [
        "14.3.2"
    ],
    "502": [
        "1.5.2",
        "5.5.1",
        "5.5.3"
    ],
    "507": [
        "10.2.3",
        "10.2.6"
    ],
    "509": [
        "12.4.2"
    ],
    "511": [
        "10.2.4",
        "10.2.5"
    ],
    "521": [
        "2.1.1",
        "2.1.2",
        "2.1.3",
        "2.1.4",
        "2.1.7",
        "2.1.8",
        "2.1.9",
        "2.1.11",
        "2.1.12",
        "2.10.3"
    ],
    "522": [
        "2.10.3"
    ],
    "523": [
        "2.7.4",
        "14.4.5"
    ],
    "524": [
        "8.1.1",
        "8.1.2"
    ],
    "525": [
        "8.2.1"
    ],
    "532": [
        "7.1.1",
        "7.1.2",
        "8.3.5"
    ],
    "539": [
        "3.2.3"
    ],
    "544": [
        "7.4.2",
        "9.2.5"
    ],
    "548": [
        "4.3.2"
    ],
    "552": [
        "12.4.1",
        "12.5.1"
    ],
    "598": [
        "3.1.1",
        "13.1.3"
    ],
    "601": [
        "5.1.5"
    ],
    "602": [
        "1.5.3",
        "4.1.1"
    ],
    "611": [
        "5.5.2"
    ],
    "613": [
        "2.8.1",
        "2.8.6",
        "3.3.1",
        "3.3.2",
        "3.3.3",
        "3.3.4"
    ],
    "614": [
        "3.4.1"
    ],
    "620": [
        "2.1.5",
        "2.1.6",
        "2.2.3"
    ],
    "637": [
        "1.1.6",
        "1.1.7"
    ],
    "639": [
        "4.1.2",
        "4.2.1"
    ],
    "640": [
        "2.5.1",
        "2.5.2",
        "2.5.3",
        "2.5.6"
    ],
    "641": [
        "12.3.4"
    ],
    "643": [
        "5.3.10"
    ],
    "646": [
        "1.12.2"
    ],
    "650": [
        "13.2.1"
    ],
    "710": [
        "8.1.4"
    ],
    "754": [
        "11.1.7"
    ],
    "732": [
        "4.3.3"
    ],
    "749": [
        "10.1.1",
        "14.5.1"
    ],
    "770": [
        "12.1.3"
    ],
    "778": [
        "7.1.3",
        "7.1.4",
        "7.2.1"
    ],
    "779": [
        "13.2.4"
    ],
    "799": [
        "11.1.2"
    ],
    "73": [
        "12.3.2"
    ],
    "78": [
        "5.3.8",
        "12.3.5"
    ],
    "79": [
        "5.3.3"
    ],
    "798": [
        "2.10.4",
        "3.5.2",
        "6.4.1"
    ],
    "829": [
        "5.3.9",
        "12.3.6"
    ],
    "830": [
        "5.3.6",
        "14.2.3",
        "14.2.4"
    ],
    "841": [
        "11.1.1",
        "11.1.5"
    ],
    "89": [
        "5.3.4",
        "5.3.5"
    ],
    "915": [
        "5.1.2"
    ],
    "916": [
        "2.4.1",
        "2.4.2",
        "2.4.3",
        "2.4.4",
        "2.4.5"
    ],
    "918": [
        "5.2.6",
        "12.6.1"
    ],
    "922": [
        "8.2.2",
        "8.2.3"
    ],
    "923": [
        "1.14.1"
    ],
    "94": [
        "5.2.5",
        "5.2.8"
    ],
    "943": [
        "5.3.7",
        "5.3.10"
    ],
    "95": [
        "5.2.4",
        "5.5.4"
    ],
    "90": [
        "5.3.7"
    ],
    "98": [
        "12.3.3",
        "5.3.9"
    ]
}

system · September 30, 2024, 7:57am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Top OWASP Preset - Request SonarQube Cloud security , owasp	4	109	August 5, 2024
OWASP10 and 25 for all repos scanned by SQ SonarQube Server / Community Build	3	146	February 27, 2024
OWASP Benchmark for SonarQube 9.8.0 SonarQube Server / Community Build sonarqube , coverage , owasp	1	1420	January 4, 2023
Scanning JuiceShop with SonarQube SonarQube Cloud sonarqube , scanner	3	2204	April 8, 2021
Can SonarQube be able to do Security check for sensitive data stored eg password as plain text in xml files SonarQube Server / Community Build security	7	3676	July 16, 2020

OWASP ASVS requirements validated by SonarQube in the Security Report

Related topics