Security Reports tab missing

deviljim · July 28, 2021, 7:46pm

What happened to the Security Reports tab for OWASP Top 10 and SANS Top 25 that was available in version Community Edition 7.3? Am I missing a plugin or something in Version 8.3.1?

Version 7.3

Version 8.3.1

ganncamp · July 29, 2021, 7:09pm

Hi,

Welcome to the community!

First, your version is past EOL. You should upgrade to either the latest version or the current LTS at your earliest convenience. Your upgrade path is:

7.3 → 7.9.6 → 8.9.2 → 9.0.1 (last step optional)

Regarding your actual question, security reports are now only available in Enterprise Edition($$) and above.

Ann

deviljim · July 30, 2021, 12:09am

HI Ann,

Thanks for your quick response, have some quick followup questions.

I am running both version 7.3 and 8.3, are both past EOL?
What exactly does it mean for SQ to be past EOL, it will not get rule updates and software patches? Are the SANS top 25 and OWASP top 10 analysis results still valid?
What is the upgrade path for version 8.3?

ganncamp · July 30, 2021, 4:54pm

Hi,

Yes. Supported versions are always the current LTS and the Latest version. If you’re running something between those two versions (currently there isn’t anything between them; LTS is 8.9.2 and Latest is 9.0.1), it’s not supported but we don’t get pushy. Anything older than the current LTS is “past EOL” though.

Correct. We generally only patch the current LTS. We did just release a point version of Latest/9.0, but that’s rare.

Yes, as far as they go. But one thing staying on the Latest version gets you us rule updates - LTS doesn’t get those - which means that between where you are and the Latest version, there might be more rules or the implementations of the rules you already have may have gotten smarter.

Upgrade paths always go through any intervening LTSs. So for 8.3 your upgrade path is:

8.3 → 8.9.2 → 9.0.1 (last step optional)

HTH,
Ann

deviljim · July 30, 2021, 9:26pm

Got it. I have two community instances running (7.3 and 8.3), and I want to consolidate the projects into my 8.3 instance, then upgrade to LTS/Latest. My specific problem is the 7.3 instance shows the OWASP/SANS reports, but the 8.3 instance does not. Is there a way I can enable these reports in 8.3 or later, via a plugin?

Rebse · August 2, 2021, 6:03am

Hi,

security reports are now only available with Enterprise edition and higher
as Ann already mentioned.
see Security Reports | SonarQube Docs

Gilbert