I am analyzing the extent to which sonarqube enterprise covers cwe’s for java and javascript. I’d like assistance in validating that my analysis is accurate.
I have sonarqube enterprise 7.9 but I also spun up a docker container with 8.4.1 enterprise and ran my analysis against that as well.
I wrote a script that pulls this zipped csv file from Mitre. (It’s the latest as of now containing all the software cwe’s).
https://cwe.mitre.org/data/csv/699.csv.zip
My python script iterates over each cwe number in that csv and calls this sonar api with these parameters…
rules/search?languages={language}&f=lang,isExternal,name,sysTags,htmlDesc&status=active&cwe={cwe_id}&ps=500
… to lookup which rules for java (and then separately javascript) correspond to that cwe. Note that for {language} I substitute either java or js and for {cwe_id} I substitute the current cwe id from the csv.
I then count the number of java and javascript rules that come back in each responses “total” field and add them to my total count for the provided language.
My results against 7.9 enterprise were:
Total CWE's mapped to java sonar rules 73
Total CWE rules unmapped to java sonar rules 345
Total CWE's mapped to js sonar rules 32
Total CWE rules unmapped to js sonar rules 386
Total CWE rules 418
My results against a locally spun up docker container running 8.4.1 were:
Total CWE's mapped to java sonar rules 66 <--Less rules mapping in newer version!
Total CWE rules unmapped to java sonar rules 352
Total CWE's mapped to js sonar rules 32
Total CWE rules unmapped to js sonar rules 386
Total CWE rules 418
I have read this post related to analyzing cwe’s and so I expected from @Alexandre_Gigleux 's comment that I’d see a higher number of mappings in 8.4.1.
As you can see above I saw no change in javascript rule coverage and a reduction in rule coverage for java.
How have I miscalculated, if at all, the degree to which sonarqube rules map to cwe’s? Regardless of the discrepancy is 66 out of 418 the quantity that you’d expect?
Thanks,
Damon