OWASP Top 10 and CWE Top 25 coverage in SonarQube 8.9

The release announcement for SonarQube 8.7 stated:

With every release, we’re adding more value add to keep your code secure. Now, for Java, JavaScript, C & C++ you can expect 80+% detection of OWASP Top 10 and CWE Top 25 vulnerabilities.

What is the % detection figure for 8.9 LTS? I have to provide this info for a bid.

Hello Mark,

This is not an easy question because as you should know the OWASP Top 10 2017 is just a set of 10 categories corresponding to the most common type of vulnerabilities introduced by developers. The latest Top 10 was established based on data prior to 2017 (and we are all waiting for a refresh with the 2020 version).
Nothing in the OWASP Top 10 documentation is listing exactly which CWE items should be detected to be able to say we cover 100% of it. Even if such data were existing, that won’t be super accurate because it’s hard to know where to stop to say we cover one category. Using percentage to talk about OWASP Top 10 is just a convenient shortcut used while doing communication and depending on the person doing the maths, the percentage can be different.
Talking about CWE Top 25, we support CWE Top 25 2019 / 2020. For this, it’s easier, there are 25 CWEs, so 25 types of security problems. So for each of the 25 CWEs that can be detected by static analysis, we have at minimum one rule but we can’t say we cover 100% of the issues linked to the CWE Top 25 items because having a rule covering one CWE item doesn’t mean you can detect all issues related to that CWE.

The main problem overall of these “top something” is that there is no exhaustive list of test cases that should be fulfill to be able to say at 100% we got you covered.
With SonarQube 8.9 LTS, you are in the best hands of the SAST market to quickly know if your softwares are exposed to any of the risks highlighted by OWASP Top 10 and CWE Top 25.

Alex

2 Likes

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.