OWASP/CWE in Community Edition

I use the Community Edition of SonarQube and I get listings of CWE violations as well as OWASP listings. So why do I need the Enterprise Edition? I know the documentation say Security Report but what does that mean exactly? I don’t care for fancy reports. I only need to detect vulnerability risks.

Hi @leer5 ,
Which version of SonarQube Community Edition are you using?

Hi Carine
I’m using 8.6

Can you send here some screenshot of what you see? and in which languages?

To summarise “quickly” what you will get in addition in the Enterprise Edition :

  • Detection of injection flaws rules in Java, C#, PHP, Python, JS
  • Rules related to buffer overflows in C++
  • Security Hotspots rules additional in Java, C#, PHP, Python, JS/TS
  • Security Reports (OWASP / SANS / CWE classification)

and all the additional features of the Enterprise Edition, such as branch analysis, PR decoration, portfolios, to help you fix your issues the earliest to avoid additional dev time/cost…

I would highly recommend you to try it by asking for a free trial key here.


I’m using Java. SQ 8.6 CE.

Looks like I’m getting the CWE and OWASP in the Community Edition.

You will have some rules available in the Community Edition (basic ones). You can see on our rules website, which rules are available starting in Community, which are available only in Developer+ editions, at the bottom of each rule description.
To benefit from detection of injection (like SQL injections, OS Command etc), you’ll need to move to a commercial edition.
Ex: Java injection rule: Rules explorer

Thank you for this clarification. Can you answer one more question? My Dev Env is cut off from the internet so how do I get updates to these rules or when there are new ways to compromise or violate the rules? Thanks.

Hi @leer5 ,

this is a completely different question and a good practice here is to open a new thread for a new topic :slight_smile: I will answer here as this one is quite “easy”: new rules that are added in the releases of SonarQube versions will be added to your SonarQube after you do the upgrade.
For this, you just have to follow the upgrade path described in the docs here. There is no “automatic” upgrade of your SonarQube Server.

Let us know if you want to try the commercial editions to benefit from more SAST rules!


1 Like