I have sonarqube enterprise 7.9 but I also spun up a docker container with 8.4.1 enterprise and ran my analysis against that as well.
I wrote a script that pulls this zipped csv file from Mitre. (It’s the latest as of now containing all the software cwe’s).
My python script iterates over each cwe number in that csv and calls this sonar api with these parameters…
My results against 7.9 enterprise were:
Total CWE's mapped to java sonar rules 73 Total CWE rules unmapped to java sonar rules 345 Total CWE's mapped to js sonar rules 32 Total CWE rules unmapped to js sonar rules 386 Total CWE rules 418
My results against a locally spun up docker container running 8.4.1 were:
Total CWE's mapped to java sonar rules 66 <--Less rules mapping in newer version! Total CWE rules unmapped to java sonar rules 352 Total CWE's mapped to js sonar rules 32 Total CWE rules unmapped to js sonar rules 386 Total CWE rules 418
How have I miscalculated, if at all, the degree to which sonarqube rules map to cwe’s? Regardless of the discrepancy is 66 out of 418 the quantity that you’d expect?