OWASP Top 10 version

Dear Sonar Team,

May I know what is the current version of OWASP Top 10 leveraged by SonarCloud ? OWASP Top 10 2017?

Thanks,
Jimmy

Hello,

I confirm it’s OWASP Top 10 2017.

Alex

Thanks Alex :slightly_smiling_face:

Hey @Alexandre_Gigleux,

As you may be aware, OWASP has released the Top 10:2021 list. When might your product roadmap reflect this important update?

OWASP Top 10:2021

GitHub - OWASP/Top10: Official OWASP Top 10 Document Repository

Hello,

It is in the SonarQube Roadmap and scheduled for SQ 9.x cycle.

Alex

1 Like

@Alexandre_Gigleux, is there any firmer indication of when this might actually be? The SQ 8.x cycle was 19 months (by my calculation) and, so far, we are only 3 months into the 9.x cycle. So, are we likely to get Top 10:2021 support in 2021 or 2022 or in 2023?

The reason why having a better idea of the date is for budgetting and planning purposes. We have just spent a lot of effort on Top 10:2017 training and that’s OK as that matches the tooling (eg, SQ). But we will need to plan (and pay) for training that will be ready for the release of Top 10:2021 support in SQ and other tools.

Of course, seeing support for Top 10:2021 sooner rather than later will be a huge boost for security reporting. This version of the Top 10 has a lot of changes. It is not just about the headline “three new categories, four categories with naming and scoping changes, and some consolidation in the Top 10”. For me, the real thing of interest is that the number of mapped CWEs has increased from 30 to nearly 400.

That last bit also means I do understand that it is non-trivial to actually implement the support. But I am champing at the bit in anticipation :grinning:

One teeny thing though… can I suggest that OWASP Top 10 in SQ is actually labelled with the year? Labelling the current impementation “2017” can be done before 2021 support is ready… and would have helped @jchan and many others.

1 Like

Hello,

The work related to OWASP Top 10 2021 actually started … this week. We are in the process to map all our rules to it and measuring our current coverage and what needs to be done to improve this coverage.
In total, the OWASP Top 10 2021 maps to 196 CWEs (I know that OWASP mentions 400 CWEs in their documentation but when you do the sum category by category it’s “only” 196).
Our plans is to gradually release all our analyzers so they provide the info to SonarQube and SonarCloud and we expect to impact the SonarQube UI for Q1 2022: filter on Issues + the Security Reports mainly.

I confirm that we want to keep both versions (the 2017 and 2021) at the same time to help users in the transition and where today you see “OWASP Top 10”, it will be renamed to 2017.

Alex

2 Likes