SonarQube security rules - Community, Developer, other editions

security

(MarkL) #1

Hi all,

Please can someone tell me what difference there is between the different editions of SonarQube (Community, Developer, etc) in regard to security compliance/security rules (OWASP, CWE, SANS, other)?

Is there a link or doc that details any differences?

Thanks in advance


(Alexandre Gigleux) #3

Hello,

SonarQube Community Edition is coming with rules dedicated to the security domain mainly for Java, C# and PHP. I let you heck the Vulnerability and Security Hotspots rules for each language directly on https://rules.sonarsource.com/java/type/Vulnerability.
We don’t provide yet a nice display of our coverage of OWASP Top 10, CERT, SANS Top 25 but by using the Tags available on each rule you can find what you are looking for. For example, here are the rules for Java related to OWASP Top 10

SQ Developer Edition is coming with a more advanced engine dedicated to the security domain and in particular it implements 6 rules for Java and C# (PHP should come later this year).

  • S3649: SQL queries should not be vulnerable to injection attacks
  • S2076: OS commands should not be vulnerable to injection attacks
  • S2091: XPath expressions should not be vulnerable to injection attacks
  • S2078: LDAP queries should not be vulnerable to injection attacks
  • S2631: Regular expressions should not be vulnerable to Denial of Service attacks
  • S2083: I/O function calls should not be vulnerable to path injection attacks

SonarCloud is having the features of the SQ Developer Edition, so you can try it for free on your open source projects.


(Balázs Hosszu) #5

Hey @Alexandre_Gigleux!

As a previous blogpost mentions:

Coming with that, we will soon provide a dedicated security space so you can easily check your compliance with OWASP Top 10 and SANS Top 25 standards. Stay tuned!

Are there any updates on that? Is this coming only for SonarCloud, or for on-premise SonarQube too?
https://blog.sonarsource.com/sonarcloud-is-entering-sast-market

Thanks,
Balázs


(Nicolas Bontoux) #6

Hey @hosszubalazs,

It’s actually already available in both SonarQube and SonarCloud! You can check-out the SonarQube 7.3 announcement which mentions Security Reports, and also see it live in SonarCloud.

Complimentary to that is the support of security hotspots for each language, which is coming pretty rapidly (4 additional languages supported with SonarQube 7.4 announced last week). As well as always more powerful rules to detect vulnerabilities in your code (on top of the key rules mentioned in that blog post already).