Why some OWASP issues doesn't show in security report?

security
rules

(Saharat Sarasongkram) #1

SonarQube version: 7.3 Community License

Some issues are not included in Security Reports after analysis, it display inside the Not OWASP group even they are tagged as owasp-a1...10 as screenshot below.

Why is it like that? What kind of issue that will be included to the Security Reports?


(Alexandre Gigleux) #4

Hello,

Security Reports are only fed by a few analyzers. As of now: SonarJava, SonarC#, SonarTSQL, SonarSwift, SonarKotlin.
Coming soon, SonarPLSQL, SonarRuby and SonarScala will also feed the Security Reports.
Release after release, we make the analyzers compatible with this new feature introduced with SQ 7.3

I created https://github.com/SonarSource/SonarJS/issues/1112 to not forget to enable this feature for SonarJS.

Regards


(Saharat Sarasongkram) #5

Thank you Alexandre.