Security Reports

We are using SonarQube Community version 7.9.4 LTS

Referring to https://docs.sonarqube.org/latest/user-guide/security-reports/

Please help understanding the following:-

  1. Are these reports based on CWE, OWASP and SANS rules activated in our Quality Profiles ?
  2. These reports would be available at project-level or enterprise level ?
  3. Where can I find the complete list of SAST rules available in SonarQube ?

Hi @Tripti_Mittal

As you are using a Community Edition, you will not see the Security Reports nor the SAST rules (detection of injection flaws), which are part of commercial licenses only.

1- the Security Report is available in the Enterprise Edition and above. The purpose is to gather and classify the vulnerabilities and security hotspots found in your source code under different categories:

  • OWASP Top 10 classification
  • Sans Top 25 classification
  • SonarSource classification

This report exists at both project and portfolio levels.

2- Regarding the SAST rules available in SonarQube: taint analysis and detection of injection flaws are available starting in the Developer Edition.

If you have a look at our rules website, you can select the language you want to analyse and then use the security tag (vulnerability for example). In each rule, at the bottom, you’ll find the edition where you can find the rule (meaning: if this is written Developer Edition, the rule will be available starting in Developer Edition, and above). Ex: https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-5334 for the Java rule (available in Developer Edition and above).
Just remember that the rules website is up-to-date with the latest version of our analysers, which is embedded in the latest version of SonarQube now (8.5 currently).

I would encourage you to try our Enterprise version, so you can figure out how the Security reports are built and the added value of the SAST features we’ve incorporated to our latest versions.

HTH,
Carine