SonarSource C# Ruleset

hongyin.lim · October 9, 2019, 7:37pm

Hi,

I am testing the static security analysis for SonarC# for OWASP rules.
In the following link: https://rules.sonarsource.com/csharp/tag/owasp (C# Rules filtered by OWASP), it mentions that the number of rules are 40.

My current setup is SonarQube ver 7.9 & the SonarC# plugin is 7.17 (latest)

Under the Rules, when we select C# and filter by the Security Category: OWASP 10 -> the results only displayed 29 rules.Just some quick checks:

HTTP request redirections should not be open to forging attacks
I/O function calls should not be vulnerable to path injection attacks
etc …
The rules above which is defined in the link online are not available in the Rules filtered from the SonarQube tool.

I would like to clarify why the rules defined here in this link (https://rules.sonarsource.com/csharp/tag/owasp) is not the same as the ruleset displayed in the SonarC# plugin (ver 7.17) in the Sonarqube ?

Thanks in advance for your help.

ColinHMueller · October 9, 2019, 9:00pm

More advanced security rules (such as those detecting injection flaws) are available for the Developer Edition ($) and above.

Feel free to get in touch about a trial license!