OWASP Top 10 version

jchan · January 15, 2020, 8:20am

Dear Sonar Team,

May I know what is the current version of OWASP Top 10 leveraged by SonarCloud ? OWASP Top 10 2017?

Thanks,
Jimmy

Alexandre_Gigleux · January 17, 2020, 7:16am

Hello,

I confirm it’s OWASP Top 10 2017.

Alex

jchan · January 17, 2020, 9:26am

Thanks Alex

kirkpabk · October 7, 2021, 11:29am

Hey @Alexandre_Gigleux,

As you may be aware, OWASP has released the Top 10:2021 list. When might your product roadmap reflect this important update?

OWASP Top 10:2021

GitHub - OWASP/Top10: Official OWASP Top 10 Document Repository

Alexandre_Gigleux · October 7, 2021, 11:50am

Hello,

It is in the SonarQube Roadmap and scheduled for SQ 9.x cycle.

Alex

msymons · October 21, 2021, 5:25pm

@Alexandre_Gigleux, is there any firmer indication of when this might actually be? The SQ 8.x cycle was 19 months (by my calculation) and, so far, we are only 3 months into the 9.x cycle. So, are we likely to get Top 10:2021 support in 2021 or 2022 or in 2023?

The reason why having a better idea of the date is for budgetting and planning purposes. We have just spent a lot of effort on Top 10:2017 training and that’s OK as that matches the tooling (eg, SQ). But we will need to plan (and pay) for training that will be ready for the release of Top 10:2021 support in SQ and other tools.

Of course, seeing support for Top 10:2021 sooner rather than later will be a huge boost for security reporting. This version of the Top 10 has a lot of changes. It is not just about the headline “three new categories, four categories with naming and scoping changes, and some consolidation in the Top 10”. For me, the real thing of interest is that the number of mapped CWEs has increased from 30 to nearly 400.

That last bit also means I do understand that it is non-trivial to actually implement the support. But I am champing at the bit in anticipation

One teeny thing though… can I suggest that OWASP Top 10 in SQ is actually labelled with the year? Labelling the current impementation “2017” can be done before 2021 support is ready… and would have helped @jchan and many others.

Alexandre_Gigleux · October 22, 2021, 6:56am

Hello,

The work related to OWASP Top 10 2021 actually started … this week. We are in the process to map all our rules to it and measuring our current coverage and what needs to be done to improve this coverage.
In total, the OWASP Top 10 2021 maps to 196 CWEs (I know that OWASP mentions 400 CWEs in their documentation but when you do the sum category by category it’s “only” 196).
Our plans is to gradually release all our analyzers so they provide the info to SonarQube and SonarCloud and we expect to impact the SonarQube UI for Q1 2022: filter on Issues + the Security Reports mainly.

I confirm that we want to keep both versions (the 2017 and 2021) at the same time to help users in the transition and where today you see “OWASP Top 10”, it will be renamed to 2017.

Alex

joshua.palan · December 16, 2021, 5:07pm

Would it be possible to get a status update on this effort? Have any OWASP Top 10 2021 analyzers already been released? Are you still on track for a UI update in Q1 2022? Do you have a specific 9.x release you’re targeting for the implementation of these changes? Thank you in advance!

Alexandre_Gigleux · December 16, 2021, 5:37pm

Hello,

We are on track for Q1 2022 and expect to have support of OWASP Top 10 2021 for SonarQube 9.4

Alex

kirkpabk · December 21, 2021, 2:15pm

@Alexandre_Gigleux, really good news! Thanks Alex! I will watch this thread for updates.

Zia · August 11, 2022, 12:12am

Hi,
We use SonarQube enterprise Version 8.9.9.5688. By reading this blog, is it confirmed the SQ 9.4 now supporting the OWASP Top 10 2021? If I am correct, the 9.4 is not an LTS version. What we have to do to scan and analysis the OWASP Top 10 2021? Do we need to switch to a non-LTS version? I appreciate any feedback. Thank you,

Colin · August 11, 2022, 8:01am

OWASP Top 10 2021 is supported in the latest v9.x version – v9.x LTS is expected at the end of this year or early next year.

Zia · August 11, 2022, 2:46pm

Thanks Colin, the info is helpful.

Zia · November 11, 2022, 5:31pm

Hi, Is the SonarQube LTS 8.9.10 now supporting the OWASP top 2021? I appreciate your response.

Thank you,

Zia · November 11, 2022, 5:57pm

Hi Colin,

If I read an earlier comment from you (Aug, 11,2022), it seems the EnterpriseLlTS edition has not added the OWASP 10 (2021) yet in the SonarQube 8.9.10. Am I correct? Probably it would be in Enterprise 9.x (serial) Thanks,

Alexandre_Gigleux · November 14, 2022, 1:45pm

Hello,

To get the support of OWASP Top 10 2021, you need to upgrade your instance to the latest 9.7 Enterprise or wait a couple of months to get the 9.x Enterprise LTS if you absolutely need an LTS version.

Alex

Zia · November 14, 2022, 2:00pm

Thanks, Alex for your response.

Alexandre_Gigleux · December 19, 2022, 9:19am

A post was split to a new topic: UI bugs in Issues page date filter?

deborre · July 17, 2023, 9:01am

Hey @Alexandre_Gigleux – can you confirm how/when this is available in sonarcloud SaaS offering?

Colin · August 5, 2024, 2:50pm

Hey @deborre

We recently launched SonarCloud Enterprise, which includes support for Security Reports!

Topic		Replies	Views
How to update the new rules in OWASP TOP 10 2021 SonarQube? SonarQube Server / Community Build	5	2408	March 16, 2022
How dose SonarQube get updates for current CWA, OWASP Top 10 and SANS Top 25 entries? SonarQube Server / Community Build security	3	940	October 22, 2020
How to update the new rules in OWASP TOP 10 2021? SonarQube Cloud	2	585	September 14, 2022
OWASP security rules of 2024 not showing in SonarQube developer edition SonarQube Server / Community Build owasp	1	117	June 12, 2024
No OWASP Top 10 results in new SonarQube version SonarQube Server / Community Build csharp , sonarqube , dotnet , azuredevops-server	5	2774	October 22, 2021

OWASP Top 10 version

Related topics