Hellow,
I am checking CWE 2021 TOP 25 CWE and CWE CUSP. I need sonarqube rule list related wo these CWEs to link and add to my project. can anybody share list of these rules, is there any direct plugin available for CWEs releases.
Thanks in Advance.
Hi,
Welcome to the community!
Most significant security-related rules are enabled in the Sonar way profiles, although some are only available in commercial editions. Security reports, including reports against the CWE Top 25 are available in Enterprise Edition($$).
For finding rules, I can only offer the cwe rule tag. On the individual rules, you can find the specific CWEs they’re mapped to.
HTH,
Ann
Thank you for your reply.
I checked all the rules for C and C++ at link below.
C++ static code analysis (sonarsource.com).
Please confirm the link I am using for set of rules for C and C++.
I used Tags filter and selected only CWE option and did not select any other filter.
For C++,61 and C, 58 rules appeared after the filter was applied.
I checked Top 25 CWEs 2023 list and CUSP 15 list. Not all CWEs out of above list are tagged with SonarQube rules.
So for an example CWE-20, CWE-787, CWE-125. Please let me know which rules are tagged with any of these CWEs. I couldnt find any rule which has been tagged with any of the above mentioned CWEs. There are few other CWEs also which are not tagged. I can see only 12 or 13 CWEs are tagged out of TOP25+ CUSP15.
If that is the case then can we say that not all Top 25 + CUSP 15 CWEs are tagged to SonarQube rules?
Please let me know where can I get the list of all the rules tagged with CWEs atleaset Top 25 + CUSP 15 + OWASP TOP10. Atleast in any SonarQube edition is it available?
I hope I could explain.
Please let me know if my approach and my understanding is correct ?
Hi,
Yes, that’s officially the link to use to see all the rules.
And personally, I find it far easier to filter in a SonarQube instance. (The search is better.)
We don’t necessarily have rules for each of those CWEs.
Ann