Viewing a portfolio security report
On this page
Overview
This feature is only available in the Enterprise plan. Before you can view the Enterprise-level reports, your organization must be added to an enterprise. For more information, see Managing your enterprise.
Portfolio security reports provide an aggregated view of your organization's security across multiple projects. They are aimed at enterprise security teams, compliance and audit teams, and IT administrators who manage multiple projects and require an in-depth view of their enterprise security status.
Portfolio security reports are based on the following security standards:
- OWASP Top 10 (versions 2021 and 2017)
OWASP Top 10 security standards covered by Sonar for version 2021
| Category | Python | JS/TS | Java | C# | C/C++ | PHP | Kotlin |
| A01:Broken Access Control |  | | | | | | |
| A02: Cryptographic Failures | | | | | | | |
| A03: Injection | | | | | | | |
| A04: Insecure Design | | | | | | | |
| A05: Security Misconfiguration | | | | | | | |
| A06: Vulnerable and Outdated Components | | | | | | ||
| A07: Identification and Authentication Failures | | | | | | | |
| A08: Software and Data Integrity Failures | | | | | | ||
| A09: Security Logging and Monitoring Failures | | | | | | ||
| A10: Server-Side Request Forgery | | | | | |
OWASP Mobile Top 10 security standards covered by Sonar for version 2024
| Standard | Java | Kotlin | Dart | Swift |
|---|---|---|---|---|
| M1: Improper Credential Usage | | | | |
| M2: Inadequate Supply Chain Security | | | | |
| M3: Insecure Authentication/Authorization | | | ||
| M4: Insufficient Input/Output Validation | | | ||
| M5: Insecure Communication | | | | |
| M6: Inadequate Privacy Controls | | | ||
| M7: Insufficient Binary Protections | | |||
| M8: Security Misconfiguration | | | | |
| M9: Insecure Data Storage | | | | |
| M10: Insufficient Cryptography | | | | |
- CWE Top 25 (versions 2024, 2023, 2022, and 2021)
CWE Top 25 security standards covered by Sonar for version 2024
| Category | Python | JS/TS | Java | C# | C/C++ | PHP | Kotlin |
|---|---|---|---|---|---|---|---|
| CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | | | | | | | |
| CWE-787 Out-of-bounds Write | | ||||||
| CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | | | | | | | |
| CWE-352 Cross-Site Request Forgery (CSRF) | | | | | | ||
| CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | | | | | | | |
| CWE-125 Out-of-bounds Read | | ||||||
| CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | | | | | | | |
| CWE-416 Use After Free | | ||||||
| CWE-862 Missing Authorization | |||||||
| CWE-434 Unrestricted Upload of File with Dangerous Type | | ||||||
| CWE-94 Improper Control of Generation of Code ('Code Injection') | | | | | | | |
| CWE-20 Improper Input Validation | | | | | | | |
| CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection') | | | | | | ||
| CWE-287 Improper Authentication | | | |||||
| CWE-269 Improper Privilege Management | | | |||||
| CWE-502 Deserialization of Untrusted Data | | | | | | ||
| CWE-200 Exposure of Sensitive Information to an Unauthorized Actor | | | | | | | |
| CWE-863 Incorrect Authorization | |||||||
| CWE-918 Server-Side Request Forgery (SSRF) | | | | | | | |
| CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer | | ||||||
| CWE-476 NULL Pointer Dereference | | | | | | ||
| CWE-798 Use of Hard-coded Credentials | | | | | | | |
| CWE-190 Integer Overflow or Wraparound | | | | ||||
| CWE-400 Uncontrolled Resource Consumption | | | | | | | |
| CWE-306 Missing Authentication for Critical Function |
- OWASP ASVS 4.0 Level 1, 2, 3
- PCI DSS (versions 4.0 and 3.2.1)
- CASA
- STIG
You can view security reports for any portfolio that contains projects that have previously undergone an analysis. For a given standard, the report displays the number of raised Security issues and Security Hotspots by security category.
To ensure reliable security reports, the relevant security rules must be activated in your portfolio's project quality profiles. For instance, if no rule corresponding to a given OWASP category is activated in your quality profile, you won't get Security issues or Security Hotspots linked to that specific category in the OWASP report. See Checking the security rules included in a project’s quality profile for more information.
Retrieving portfolio security reports
- Retrieve the portfolio
- Click on the Security Reports tab to open the report.
The portfolio report displays:
- Security standards filter in the left sidebar. Click on a security standard to filter the results.
- Security report results on the right side of the screen.
- Security reports overview at the top of the page with the Portfolio overall Security rating and Portfolio overall Security Review rating.
- A security standard section showing the number of Security issues and Security Hotspots that need to be addressed for a given category, for example, Sonar security standard.
- Security issues and Security Hotspots by category and sorted by rating. Click on the row in the table to view a category specific report on a separate page.
Related pages
Was this page helpful?
© 2008-2025 SonarSource SA. All rights reserved.
