Rest API NOT return the issues for a CWE identifier

Hi everyone,

I am trying to get all the issues for a CWE Identifier. I am using http://localhost:9000/api/issues/search?tags=cwe&cwe=459 api(as mentioned in this comment Sonarqube Rest API NOT return CWE-Number of issue with "type": "VULNERABILITY" - #5 by Alexandre_Gigleux), but it doesn’t work. It always returns zero issues for everything that’s not related to VULNERABILITY type even if my project has CWE issues.
Is there a way to get all issues for a CWE Identifier for BUG and CODE_SMELL types?
Thank you.

Hey there.

As requested in the template post, what version of SonarQube are you using?

Hello, I’m using SonarQube 10.0 Community Edition.


Using a query parameter like cwe=459 should work.

What are you receiving in the response that leads you to believe it doesn’t, or what issues are you seeing the UI that match this CWE that you can’t retrieve using the API?


When I’m using this api call http://localhost:9000/api/issues/search?componentKeys=GradleProject&tags=cwe&types=BUG&cwe=459, the output is the following:

but in SonarQube UI when selecting the CWE Tag we can see that we have 19 CWEs for BUG Type.

Also, if I go, for example, on the first issue rule, and look at the bottom description we can see that it corresponds to CWE 459, so I’m expecting that the api above returns the correct data.
When I’m following this steps to any issue that has a CWE corresponding to VULNERABILITY type, the api returns the desired data.
e.g calling this api http://localhost:9000/api/issues/search?componentKeys=GradleProject&tags=cwe&types=VULNERABILITY&cwe=259, the response is the following:

    "total": 2,
    "p": 1,
    "ps": 100,
    "paging": {
        "pageIndex": 1,
        "pageSize": 100,
        "total": 2
    "effortTotal": 120,
    "issues": [
            "key": "key",
            "rule": "java:S6437",
            "severity": "BLOCKER",
            "component": "GradleProject:src/main/java/com/example/map_proiect_extins/utils/",
            "project": "GradleProject",
            "line": 40,
            "hash": "hash",
            "textRange": {
                "startLine": 40,
                "endLine": 40,
                "startOffset": 20,
                "endOffset": 44


References in a rule-description does not necessarily mean that the issue is tied to a CWE in the backend (which you can filter to under the Security Category facet). Only vulnerabilities store this information in a structured way.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.