We’re preparing for a security certification audit. Is there a way to generate a report or some sort of proof that we can provide that the rules we’re running account for all applicable vulnerabilities in the Top 25, “on the cusp”, or other vulnerability lists?
Apologies for the late reply.
May I suggest that you start by browsing the SonarSource rules documentation. You can find that here.
On this page you can select the language you are scanning from the column on the left-hand side e.g. “Java”. Then you can select the “tag” from the menu bar e.g. “owasp” or “sans-top25”. This will give you a list of the rules that apply to this criteria.
Here a link to “Java/sans-top25” as a starter.
I hope this helps.
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.