OWASP/CWE in Community Edition

leer5 · February 15, 2021, 6:13am

I use the Community Edition of SonarQube and I get listings of CWE violations as well as OWASP listings. So why do I need the Enterprise Edition? I know the documentation say Security Report but what does that mean exactly? I don’t care for fancy reports. I only need to detect vulnerability risks.

Carine_Bayon · February 15, 2021, 9:23am

Hi @leer5 ,
Which version of SonarQube Community Edition are you using?
Thanks,
Carine

leer5 · February 15, 2021, 4:15pm

Hi Carine
I’m using 8.6
Thanks
Robert

Carine_Bayon · February 15, 2021, 5:16pm

Can you send here some screenshot of what you see? and in which languages?

To summarise “quickly” what you will get in addition in the Enterprise Edition :

Detection of injection flaws rules in Java, C#, PHP, Python, JS
Rules related to buffer overflows in C++
Security Hotspots rules additional in Java, C#, PHP, Python, JS/TS
Security Reports (OWASP / SANS / CWE classification)

and all the additional features of the Enterprise Edition, such as branch analysis, PR decoration, portfolios, to help you fix your issues the earliest to avoid additional dev time/cost…

I would highly recommend you to try it by asking for a free trial key here.

HTH,
Carine

leer5 · February 15, 2021, 7:58pm

I’m using Java. SQ 8.6 CE.

leer5 · February 15, 2021, 7:59pm

Looks like I’m getting the CWE and OWASP in the Community Edition.

Carine_Bayon · February 16, 2021, 9:14am

You will have some rules available in the Community Edition (basic ones). You can see on our rules website, which rules are available starting in Community, which are available only in Developer+ editions, at the bottom of each rule description.
To benefit from detection of injection (like SQL injections, OS Command etc), you’ll need to move to a commercial edition.
Ex: Java injection rule: Rules explorer

leer5 · February 16, 2021, 5:53pm

Thank you for this clarification. Can you answer one more question? My Dev Env is cut off from the internet so how do I get updates to these rules or when there are new ways to compromise or violate the rules? Thanks.

Carine_Bayon · February 16, 2021, 6:17pm

Hi @leer5 ,

this is a completely different question and a good practice here is to open a new thread for a new topic I will answer here as this one is quite “easy”: new rules that are added in the releases of SonarQube versions will be added to your SonarQube after you do the upgrade.
For this, you just have to follow the upgrade path described in the docs here. There is no “automatic” upgrade of your SonarQube Server.

Let us know if you want to try the commercial editions to benefit from more SAST rules!

Carine