Security Reports

SonarQube Cloud's security reports give you the big picture of your application’s security. They allow you to know where you stand compared to the most common security mistakes.

Security reports are available in the SonarQube Cloud Enterprise plan.

What do security reports show?

Security reports quickly give you the big picture of your application’s security. They allow you to know where you stand compared to the most common security mistakes made in the past:

OWASP Top 10 (versions 2021 and 2017)

OWASP Top 10 security standards covered by Sonar for version 2021

Category

Python

JS/TS

Java

C/C++

PHP

Kotlin

A01:Broken Access Control

A02: Cryptographic Failures

A03: Injection

A04: Insecure Design

A05: Security Misconfiguration

A06: Vulnerable and Outdated Components

A07: Identification and Authentication Failures

A08: Software and Data Integrity Failures

A09: Security Logging and Monitoring Failures

A10: Server-Side Request Forgery

OWASP Mobile Top 10 2024

OWASP Mobile Top 10 security standards covered by Sonar for version 2024

Standard

Java

Kotlin

Dart

Swift

M1: Improper Credential Usage

M2: Inadequate Supply Chain Security

M3: Insecure Authentication/Authorization

M4: Insufficient Input/Output Validation

M5: Insecure Communication

M6: Inadequate Privacy Controls

M7: Insufficient Binary Protections

M8: Security Misconfiguration

M9: Insecure Data Storage

M10: Insufficient Cryptography

CWE Top 25 (versions 2024, 2023, 2022, and 2021)

CWE Top 25 security standards covered by Sonar for version 2024

Category

Python

JS/TS

Java

C/C++

PHP

Kotlin

CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

CWE-787 Out-of-bounds Write

CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)

CWE-352 Cross-Site Request Forgery (CSRF)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

CWE-125 Out-of-bounds Read

CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

CWE-416 Use After Free

CWE-862 Missing Authorization

CWE-434 Unrestricted Upload of File with Dangerous Type

CWE-94 Improper Control of Generation of Code (‘Code Injection’)

CWE-20 Improper Input Validation

CWE-77 Improper Neutralization of Special Elements used in a Command (‘Command Injection’)

CWE-287 Improper Authentication

CWE-269 Improper Privilege Management

CWE-502 Deserialization of Untrusted Data

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

CWE-863 Incorrect Authorization

CWE-918 Server-Side Request Forgery (SSRF)

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

CWE-476 NULL Pointer Dereference

CWE-798 Use of Hard-coded Credentials

CWE-190 Integer Overflow or Wraparound

CWE-400 Uncontrolled Resource Consumption

CWE-306 Missing Authentication for Critical Function

They represent the bare minimum to comply with for anyone putting in place a secure development lifecycle.

Make sure the relevant security rules are activated in your quality profiles; otherwise, your security reports will not be reliable. For instance, if no rule corresponding to a given OWASP category is activated in your quality profile, you won’t get issues or hotspots linked to that specific category in the OWASP report.

PreviousSecurity hotspots NextActivity and history

Last updated 1 month ago

Was this helpful?