Security hotspot categories

Dev team would like clarity on what findings are important to Security team:

  • Using GitHub, languages include Go, Python, etc.
  • Hoping for some pointers to identify the categories that Sonar Security findings fall under. Aside from standard urgency (Critical / High / Med / Low), wondering if findings fall under other breakdowns such as OWASP Top 10, maybe MITRE ATTACK vector, etc…
  • appreciate a pointer to where this is listed, or an answer that might not be published online.
1 Like

Hey there.

Security Hotspots are mapped to OWASP Top 10, CWE Top 25, and SANS Top 25… but none of this gets exposed in the SonarCloud UI (unlike in SonarQube, where this information is available in the Security Reports that Enterprise Edition and higher offer).

(I speak I) feel there’s a gap here. I’ll ping the right individual to take a look.

Hey @markoma

We recently launched SonarCloud Enterprise, which includes support for Security Reports!