OWASP Top 10 rules scanning in SonarCloud

sonarsiva · October 7, 2024, 2:40pm

We are using SonarCloud version and looking for some clarity on OWASP scanning.

According to the Sonar documentation OWASP Top 10 Security Vulnerability Coverage with SonarQube, SonarCloud & SonarLint, OWASP Top 10 security scanning is available in SonarCloud version.

Can someone please confirm if the OWASP Top 10 scanning happens by default or if we will have to enable some rules in our Quality profile?

I searched for tags such as owasp or A01 and few similar tags in the quality profile, but could not find any. Hence, looking for clarification.

Colin · October 8, 2024, 12:08pm

Many, but not neccessarily all rules are active by default.

In the Rules tab of your organization, I suggest filtering down to the Quality Profile you’re interested in as well as a Security Category (like A1), and toggle between active/inactive rules.

sonarsiva · October 8, 2024, 2:49pm

Hi Colin, thanks for clarifying.

Can it be interpreted this way? All the OWASP Top 10 and CWE Top 25 rules are present by default,but we need to check if they are active or not.

Colin · October 9, 2024, 7:38am

I think that’s a safe statement, although by no means are we certifying that all rules that could ever fall under Owasp Top 10 or CWE Top 25 are present by default (maybe we haven’t developed them yet!)

Topic		Replies	Views
Top OWASP Preset - Request SonarQube Cloud security , owasp	4	110	August 5, 2024
How can I use ruleset OWASP 2021 in the Sonarcloud SonarQube Cloud owasp , sonarqube-cloud	1	35	December 18, 2024
How to update the new rules in OWASP TOP 10 2021 SonarQube? SonarQube Server / Community Build	5	2404	March 16, 2022
Addition to OWASP top 10 rule sets SonarQube Cloud security	6	3922	January 13, 2021
How to update the new rules in OWASP TOP 10 2021? SonarQube Cloud	2	585	September 14, 2022

OWASP Top 10 rules scanning in SonarCloud

Related topics