Please can someone tell me what difference there is between the different editions of SonarQube (Community, Developer, etc) in regard to security compliance/security rules (OWASP, CWE, SANS, other)?
Is there a link or doc that details any differences?
Thanks in advance
SonarQube Community Edition is coming with rules dedicated to the security domain mainly for Java, C# and PHP. I let you heck the Vulnerability and Security Hotspots rules for each language directly on https://rules.sonarsource.com/java/type/Vulnerability.
We don’t provide yet a nice display of our coverage of OWASP Top 10, CERT, SANS Top 25 but by using the Tags available on each rule you can find what you are looking for. For example, here are the rules for Java related to OWASP Top 10
SQ Developer Edition is coming with a more advanced engine dedicated to the security domain and in particular it implements 6 rules for Java and C# (PHP should come later this year).
S3649: SQL queries should not be vulnerable to injection attacks
S2076: OS commands should not be vulnerable to injection attacks
S2091: XPath expressions should not be vulnerable to injection attacks
S2078: LDAP queries should not be vulnerable to injection attacks
S2631: Regular expressions should not be vulnerable to Denial of Service attacks
S2083: I/O function calls should not be vulnerable to path injection attacks
SonarCloud is having the features of the SQ Developer Edition, so you can try it for free on your open source projects.
As a previous blogpost mentions:
Coming with that, we will soon provide a dedicated security space so you can easily check your compliance with OWASP Top 10 and SANS Top 25 standards. Stay tuned!
Are there any updates on that? Is this coming only for SonarCloud, or for on-premise SonarQube too?
It’s actually already available in both SonarQube and SonarCloud! You can check-out the SonarQube 7.3 announcement which mentions Security Reports, and also see it live in SonarCloud.
Complimentary to that is the support of security hotspots for each language, which is coming pretty rapidly (4 additional languages supported with SonarQube 7.4 announced last week). As well as always more powerful rules to detect vulnerabilities in your code (on top of the key rules mentioned in that blog post already).