I am testing the static security analysis for SonarC# for OWASP rules.
In the following link: https://rules.sonarsource.com/csharp/tag/owasp (C# Rules filtered by OWASP), it mentions that the number of rules are 40.
My current setup is SonarQube ver 7.9 & the SonarC# plugin is 7.17 (latest)
Under the Rules, when we select C# and filter by the Security Category: OWASP 10 -> the results only displayed 29 rules.Just some quick checks:
- HTTP request redirections should not be open to forging attacks
- I/O function calls should not be vulnerable to path injection attacks
The rules above which is defined in the link online are not available in the Rules filtered from the SonarQube tool.
I would like to clarify why the rules defined here in this link (https://rules.sonarsource.com/csharp/tag/owasp) is not the same as the ruleset displayed in the SonarC# plugin (ver 7.17) in the Sonarqube ?
Thanks in advance for your help.