The CWE and OWASP rules for Go are missing coverage in some areas. The gosec native JSON output provides CWE references for each security issue reported, but this does not come through when put into the sonarqube format for ingestion using the sonar.externalIssuesReportPaths parameters. Currently the gosec findings show up in Sonar as vulnerabilities with no CWE or OWASP association.
It would be ideal to either:
a. Add support to the externalIssuesReportPath file spec to allow for CWE references to be included or
b. Add support for the native JSON gosec output so that this output can be ingested and tied to the provided CWE references