SonarQube Comparisions 7.7 vs 8.2 for OWASP Top 10

I was using the SonarQube 7.7 but in that OWASP top 10 is not included as part of the Quality Gate. OWASP top 10 is part of the security groups as separate entity.

I then used SonarQube 8.2 in which OWASP top 10 is included as part of the security hotspots.

For the same code i get different OWASP top 10 for SonarQube 8.2 & SonarQube 7.7


Your post lacks a question! What help are you looking for?

i would like to know why i am seeing different set of OWASP top 10 results with the same code for SonarQube 7.7 & SonarQube 8.2 ?

Looks like Security Hotspots were coming up before in 7.7. Starting in 8.2 Security Hotspots live their lives separated from issues in a dedicated “Security Hotspots” tab on projects. That probably helps explains the difference.

Outside of this — as our analyzers and tagging of rules get better and better from version to version, you might see differences in analysis results. (We make a rule better, implement a new rule, update the security standards associated to a rule). That’s a good thing!

1 Like