OWASP Top 10 version

Dear Sonar Team,

May I know what is the current version of OWASP Top 10 leveraged by SonarCloud ? OWASP Top 10 2017?

Thanks,
Jimmy

Hello,

I confirm it’s OWASP Top 10 2017.

Alex

Thanks Alex :slightly_smiling_face:

Hey @Alexandre_Gigleux,

As you may be aware, OWASP has released the Top 10:2021 list. When might your product roadmap reflect this important update?

OWASP Top 10:2021

GitHub - OWASP/Top10: Official OWASP Top 10 Document Repository

Hello,

It is in the SonarQube Roadmap and scheduled for SQ 9.x cycle.

Alex

1 Like

@Alexandre_Gigleux, is there any firmer indication of when this might actually be? The SQ 8.x cycle was 19 months (by my calculation) and, so far, we are only 3 months into the 9.x cycle. So, are we likely to get Top 10:2021 support in 2021 or 2022 or in 2023?

The reason why having a better idea of the date is for budgetting and planning purposes. We have just spent a lot of effort on Top 10:2017 training and that’s OK as that matches the tooling (eg, SQ). But we will need to plan (and pay) for training that will be ready for the release of Top 10:2021 support in SQ and other tools.

Of course, seeing support for Top 10:2021 sooner rather than later will be a huge boost for security reporting. This version of the Top 10 has a lot of changes. It is not just about the headline “three new categories, four categories with naming and scoping changes, and some consolidation in the Top 10”. For me, the real thing of interest is that the number of mapped CWEs has increased from 30 to nearly 400.

That last bit also means I do understand that it is non-trivial to actually implement the support. But I am champing at the bit in anticipation :grinning:

One teeny thing though… can I suggest that OWASP Top 10 in SQ is actually labelled with the year? Labelling the current impementation “2017” can be done before 2021 support is ready… and would have helped @jchan and many others.

1 Like

Hello,

The work related to OWASP Top 10 2021 actually started … this week. We are in the process to map all our rules to it and measuring our current coverage and what needs to be done to improve this coverage.
In total, the OWASP Top 10 2021 maps to 196 CWEs (I know that OWASP mentions 400 CWEs in their documentation but when you do the sum category by category it’s “only” 196).
Our plans is to gradually release all our analyzers so they provide the info to SonarQube and SonarCloud and we expect to impact the SonarQube UI for Q1 2022: filter on Issues + the Security Reports mainly.

I confirm that we want to keep both versions (the 2017 and 2021) at the same time to help users in the transition and where today you see “OWASP Top 10”, it will be renamed to 2017.

Alex

2 Likes

Would it be possible to get a status update on this effort? Have any OWASP Top 10 2021 analyzers already been released? Are you still on track for a UI update in Q1 2022? Do you have a specific 9.x release you’re targeting for the implementation of these changes? Thank you in advance!

Hello,

We are on track for Q1 2022 and expect to have support of OWASP Top 10 2021 for SonarQube 9.4

Alex

1 Like

@Alexandre_Gigleux, really good news! Thanks Alex! I will watch this thread for updates.

Hi,
We use SonarQube enterprise Version 8.9.9.5688. By reading this blog, is it confirmed the SQ 9.4 now supporting the OWASP Top 10 2021? If I am correct, the 9.4 is not an LTS version. What we have to do to scan and analysis the OWASP Top 10 2021? Do we need to switch to a non-LTS version? I appreciate any feedback. Thank you,

OWASP Top 10 2021 is supported in the latest v9.x version – v9.x LTS is expected at the end of this year or early next year.

Thanks Colin, the info is helpful.

Hi, Is the SonarQube LTS 8.9.10 now supporting the OWASP top 2021? I appreciate your response.

Thank you,

Hi Colin,

If I read an earlier comment from you (Aug, 11,2022), it seems the EnterpriseLlTS edition has not added the OWASP 10 (2021) yet in the SonarQube 8.9.10. Am I correct? Probably it would be in Enterprise 9.x (serial) Thanks,

Hello,

To get the support of OWASP Top 10 2021, you need to upgrade your instance to the latest 9.7 Enterprise or wait a couple of months to get the 9.x Enterprise LTS if you absolutely need an LTS version.

Alex

Thanks, Alex for your response.