Hellow,
I am checking CWE 2021 TOP 25 CWE and CWE CUSP. I need sonarqube rule list related wo these CWEs to link and add to my project. can anybody share list of these rules, is there any direct plugin available for CWEs releases.
Thanks in Advance.
Hi,
Welcome to the community!
Most significant security-related rules are enabled in the Sonar way profiles, although some are only available in commercial editions. Security reports, including reports against the CWE Top 25 are available in Enterprise Edition($$).
For finding rules, I can only offer the cwe rule tag. On the individual rules, you can find the specific CWEs theyâre mapped to.
HTH,
Ann
Thank you for your reply.
I checked all the rules for C and C++ at link below.
C++ static code analysis (sonarsource.com).
Please confirm the link I am using for set of rules for C and C++.
I used Tags filter and selected only CWE option and did not select any other filter.
For C++,61 and C, 58 rules appeared after the filter was applied.
I checked Top 25 CWEs 2023 list and CUSP 15 list. Not all CWEs out of above list are tagged with SonarQube rules.
So for an example CWE-20, CWE-787, CWE-125. Please let me know which rules are tagged with any of these CWEs. I couldnt find any rule which has been tagged with any of the above mentioned CWEs. There are few other CWEs also which are not tagged. I can see only 12 or 13 CWEs are tagged out of TOP25+ CUSP15.
If that is the case then can we say that not all Top 25 + CUSP 15 CWEs are tagged to SonarQube rules?
Please let me know where can I get the list of all the rules tagged with CWEs atleaset Top 25 + CUSP 15 + OWASP TOP10. Atleast in any SonarQube edition is it available?
I hope I could explain.
Please let me know if my approach and my understanding is correct ?
Hi,
Yes, thatâs officially the link to use to see all the rules.
And personally, I find it far easier to filter in a SonarQube instance. (The search is better.)
We donât necessarily have rules for each of those CWEs.
Ann
I am using the enterprise edition 2025.1.1
Iâm using the community in hopes of finding a solution in a reasonable amount of time.
I used these URLs: C++ static code analysis | cwe and C static code analysis | cwe
I was able to find 73 CWEs, but could not locate the following CWE Top 25 items (listed in the SonarQube CWE Security Report section): CWE-79, 787, 89, 78, 20, 125, 22, 352, 434, 862, 287, 190, 502, 77, 918, 306, 269, 94, 863, 276
Two of the above showed up on the CWE Top 25 report.
I went to the project, then âRulesâ, and input both CWEs in the search and I found both associated with C# NOT C or C++. According to MITRE both are associated with C/C++. Thatâs a big problem when scanning C/C++ only.
How do I convince the auditing authority that these SonarQube scans are accurate? Meaning, where thereâs a â0â in the report thereâs no issueâŚ
I need the ability to âshowâ (convince) the audit authority that SonarQube is scanning C/C++ for the CWE Top 25.
Can you tell me how to do that?
Hi @Pep_Brown,
Welcome to the community!
I think you want to start from the âregulatory reportâ, which includes a list of rules that were applied to the most recent analysis. Combine the fact that the rule was applied with a security report showing 0 issues, and surely that would be enough?
That will show that the project passes the rules we have available. Unfortunately we may not have rules to cover every aspect of the CWE Top 25 in every language.
HTH,
Ann
Hello Ann,
I appreciate your quick response! The regulatory report was very helpful, to a pointâŚ
What I think I know:
SonarQube uses various rules along with heuristics to find the CWE items that donât have a specific existing rule.
Is that an accurate summation?
My customer is security centric and is pushing us to switch to a different SAST tool just because of this, and we just got the CI/CD pipeline working properly with SonarQubeâŚ
The only saving grace is, the other SAST tools pretty much use the same process.
R/S
Jeremiah
Hi Jeremiah,
Itâs not clear to me what you mean by this. When we write rules, we ask ourselves âDoes this apply to / cover a CWE?â If the answer is âyesâ, then we indicate that on the rule.
HTH,
Ann
Ex., I scrubbed all of the C/CPP rules and found rules relating to 73 different CWEs, but not all of the top 25 CWEs. Of the top 25 CWEs missing, CWE-125 is one. Looking through the SonarQube documentation, it states that there may not be a rule for every CWE (much the same as you stated in your original email response " Unfortunately we may not have rules to cover every aspect of the CWE Top 25 in every language."). In cases where there is not a specific rule, techniques (not the exact language) to identify whether or not CWE-125 (Out-of-bounds-READ) is present.
Is that more clear?
R/S
Jeremiah
Hi Jeremiah,
Sorry, but Iâm not clear where youâre going with this. If we donât have a rule tied to CWE-125, then we donât think we currently have implemented functionality related to it.
Ann
Hi Ann,
It may make more sense if I pose the question like this:
The SonarQube GUI has a spot for security reports. Among the security reports is a section for Top 25 CWEs for 3 different years. In my example, I used CWE-125 which is built into the SonarQube security reports Top 25 CWEs, but I could not find CWE-125 in the C/CPP rules. Consequently, I began to research why it is included in the report, but there is no specific mention of CWE-125 in the C/CPP rules (which it does apply to). If (as is mentioned in this thread by another user as well) SonarQube does not have a rule for each of the Top 25 CWEs, but those CWEs are part of the built in SonarQube security reports, how is that possible?
R/Jeremiah
Hi,
Just because we donât have a rule for CWE-125, that doesnât mean it stops being part of the Top 25.
We include CWE-125 in the report because it is part of the Top 25 and to be transparent about the fact that we donât cover it. If we omitted it, and other CWEs in the Top 25 that we donât cover, you might get a false sense of security.
HTH,
Ann
Hi,
Iâm not suggesting CWE-125 (or any others that donât have a specific rule) stops being part of the Top 25. Iâm saying itâs part of the report and the assumption is, everything on the report is actively checked during a scan.
Not sure what you mean by transparency, when SQ was installed in my area, we (security SMEs) just assumed the Top 25 report was as it appeared. SQ information to the contrary was not readily available. The only reason I even decided to check it out was due to a question from the customer. I had to dig to find that information about missing Top 25. BTW, CWE-125 is not the only one missing. I could not locate CWE-190, 522, 94, 269, or 276.
As a matter of fact, the information I found indicated that SonarQube could detect CWE-125 using other methods, depending on the type of vulnerability/flaw.
Note: SonarQube classifies CWE-416 as a âbugâ and it is part of the Top 25. The 2023 Top 25 ranked 416 4th on the listâŚ
R/Jeremiah
R/
Hi Jeremiah,
What do you suggest? That we leave CWE-125 out of the list of CWE Top 25?
Ann
I think if SQ is âin factâ not scanning for all of the Top 25, that should be clear to the users. If that is the case you really shouldnât have a Top 25 report.
If the info Iâve been able to gather is accurate, Iâm not 100% sure that SQ is not filling the gaps relative to the missing Top 25 rulesâŚ
I think itâs time for me to take this to my program support and have a trouble ticket put in with SQ Enterprise. It might take a bit to get a definitive answer, but Iâll post back here when I do.
R/S
Jeremiah
I got the answer as to which Top 25 CWEs SQ scans for per language. Iâm being told SQ will continue to add to the Top 25. C/C++ are the furthest behind. I donât know how long SQ has had the Top 25 reports, but Iâm guessing âcontinue to addâ will be yearsâŚ
The information actually does exist on the SQ site: Security reports | SonarQube Server Documentation (click the arrow on the right of âCWE Top 25 security standards covered by Sonar for version 2024). They havenât changed much from year to year. Hereâs the table:
Hi @Pep_Brown
We are actively working on improving this coverage in 2 ways:
- We are working hard on detecting taint issues. This will cover quite a few CWEs. I donât have a clear timeline at the moment but it will be much sooner than years.
- There is also an effort at reviewing our CWE coverage as it we are covering some CWEs that are not documented (not in what you show thought)
I hope it helps.
Hi all!
Just to let you know, this plugin from bitegarden is already giving you the information about OWASP on the CUSP issues:
Security Plugin for SonarQube | bitegarden - Plugins for SonarQube and SonarCloud
It will always depend on how many CWEs are covered by the enabled Sonar rules for analysis.
If there are rules that cover any of the On the CUSP CWEs you will be able to see it on the plugin page:
Hope that it helps!
Best regards.
1 Like