Viewing portfolio security reports

Your SonarQube Cloud porfolio's security reports page provides an aggregated view of security ratings across projects in the portfolio.

This feature is only available in the Enterprise plan.

Before you can view the Enterprise-level reports, your organization must be added to an enterprise. For more information, see Managing your enterprise.

Overview

Portfolio security reports provide an aggregated view of your organization’s security across multiple projects. They are aimed at enterprise security teams, compliance and audit teams, and IT administrators who manage multiple projects and require an in-depth view of their enterprise security status.

Portfolio security reports are based on the following security standards:

OWASP Top 10 security standards covered by Sonar for version 2021

Category

Python

JS/TS

Java

C#

C/C++

PHP

Kotlin

A01:Broken Access Control

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

A02: Cryptographic Failures

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

A03: Injection

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

A04: Insecure Design

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

A05: Security Misconfiguration

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

A06: Vulnerable and Outdated Components

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

A07: Identification and Authentication Failures

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

A08: Software and Data Integrity Failures

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

A09: Security Logging and Monitoring Failures

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

A10: Server-Side Request Forgery

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

OWASP Mobile Top 10 security standards covered by Sonar for version 2024

Standard

Java

Kotlin

Dart

Swift

M1: Improper Credential Usage

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

M2: Inadequate Supply Chain Security

Checkmark icon

Checkmark icon

Checkmark icon

M3: Insecure Authentication/Authorization

Checkmark icon

Checkmark icon

M4: Insufficient Input/Output Validation

Checkmark icon

Checkmark icon

M5: Insecure Communication

Checkmark icon

Checkmark icon

Checkmark icon

M6: Inadequate Privacy Controls

Checkmark icon

Checkmark icon

M7: Insufficient Binary Protections

Checkmark icon

M8: Security Misconfiguration

Checkmark icon

Checkmark icon

Checkmark icon

M9: Insecure Data Storage

Checkmark icon

Checkmark icon

Checkmark icon

M10: Insufficient Cryptography

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

CWE Top 25 security standards covered by Sonar for version 2024

Category

Python

JS/TS

Java

C#

C/C++

PHP

Kotlin

CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

CWE-787 Out-of-bounds Write

Checkmark icon

CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

CWE-352 Cross-Site Request Forgery (CSRF)

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

CWE-125 Out-of-bounds Read

Checkmark icon

CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

CWE-416 Use After Free

Checkmark icon

CWE-862 Missing Authorization

CWE-434 Unrestricted Upload of File with Dangerous Type

Checkmark icon

CWE-94 Improper Control of Generation of Code (‘Code Injection’)

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

CWE-20 Improper Input Validation

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

CWE-77 Improper Neutralization of Special Elements used in a Command (‘Command Injection’)

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

CWE-287 Improper Authentication

Checkmark icon

Checkmark icon

CWE-269 Improper Privilege Management

Checkmark icon

Checkmark icon

CWE-502 Deserialization of Untrusted Data

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

CWE-863 Incorrect Authorization

CWE-918 Server-Side Request Forgery (SSRF)

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

Checkmark icon

CWE-476 NULL Pointer Dereference

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

CWE-798 Use of Hard-coded Credentials

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

CWE-190 Integer Overflow or Wraparound

Checkmark icon

Checkmark icon

Checkmark icon

CWE-400 Uncontrolled Resource Consumption

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

CWE-306 Missing Authentication for Critical Function

You can view security reports for any portfolio that contains projects that have previously undergone an analysis. For a given standard, the report displays the number of raised Security issues and Security Hotspots by security category.

To ensure reliable security reports, the relevant security rules must be activated in your portfolio’s project quality profiles. For instance, if no rule corresponding to a given OWASP category is activated in your quality profile, you won’t get Security issues or Security Hotspots linked to that specific category in the OWASP report. See Checking the security rules included in a project’s quality profile for more information.

Retrieving portfolio security reports

  1. Retrieve your portfolio. See Viewing portfolios for more information.

  2. Click on the Security Reports tab to open the report.

The portfolio report displays:

  1. Security standards can be filtered in the left sidebar. Select a security standard to filter the results.

  2. The Security reports overview and filtered standard are found in the main window.

  3. Your Security reports overview is at the top of the page which includes your Portfolio overall Security rating and Portfolio overall Security Review rating.

  4. This section shows the full number of Security issues and Security Hotspots that need to be addressed for your selected Security standard. The report results are generated based on relevant active security rules for projects in your portfolio.

  5. A list of Categories that contain Security issues and Security Hotspots fitting each category are sorted by rating. Select a Category row from the table to open a category specific report. Note that a single Security issue or Security Hotspot may show up in more than one category.

Each section of your Security Reports overview helps you understand the overall impact these issues have on your project.

Last updated

Was this helpful?