I’ve been using Sonarqube for years but I always wondered why the default profile “Sonarway” is missing some security related rules (vulnerability and security hotspots) that are in status ready ?
Who decides which security rule to add or remove in the Sonarway profile ?
For developers who want to improve detecting vulnerabilities with SAST tools, do you recommend to enable all vulnerabilities and security hotspots rules in status “ready” or just stick with sonarway ?
For Vulnerability or Hotspot rules, there is no reason to not have them enabled by default in the “Sonar Way” Quality Profile.
We discovered recently some exceptions to that principle, it was because we identified that the rule was noisy (and its status was not moved to Beta) and a fix was about to be implemented.
Do you have examples of Vulnerability or Hotspot rules that are not active by default?
Thank you Alexandre for the quick reply.
I am using Sonarqube version 9.8 Community Edition. I have compared the number of Vulnerabilities and Hotspot rules which are on status ready and the ones available in sonarway but the numbers don’t match.
For example in Java language, Sonarway has 30 Vulnerabilities rules and 37 Security Hotspots. But there are 167 vulnerabilities rules in status ready for Java. So there is a difference of 137 non active rules which are in status ready and related to potential vulnerabilities. These rules are coming from Find Security Bugs (Java). Here are some missing rules titles:
Security - A malicious XSLT could be provided
Security - AWS Query Injection
Security - Blowfish usage with short key
Security - Cookie without the HttpOnly flag
Security - Dangerous combination of permissions granted
FindSecBugs is a third-party plugin, so I have no idea why they do not have their rules activated by default.
You should consider upgrading to SonarQube Developer Edition 9.9 LTS as you care about finding security flaws. It’s only starting from this version that you get all the security rules provided by SonarSource, including the injection vulnerability ones.