Hi,
I am testing the static security analysis for SonarC# for OWASP rules.
In the following link: https://rules.sonarsource.com/csharp/tag/owasp (C# Rules filtered by OWASP), it mentions that the number of rules are 40.
My current setup is SonarQube ver 7.9 & the SonarC# plugin is 7.17 (latest)
Under the Rules, when we select C# and filter by the Security Category: OWASP 10 -> the results only displayed 29 rules.Just some quick checks:
- HTTP request redirections should not be open to forging attacks
- I/O function calls should not be vulnerable to path injection attacks
etc …
The rules above which is defined in the link online are not available in the Rules filtered from the SonarQube tool.
I would like to clarify why the rules defined here in this link (https://rules.sonarsource.com/csharp/tag/owasp) is not the same as the ruleset displayed in the SonarC# plugin (ver 7.17) in the Sonarqube ?
Thanks in advance for your help.