This version of the SonarQube documentation is no longer maintained. It relates to a version of SonarQube that is not active.

Security reports

Security reports give you the big picture of your application’s security. They allow you to know where you stand compared to the most common security mistakes.

Security reports are available starting in Enterprise Edition.

What do security reports show?

Security reports quickly give you the big picture of your application’s security. They allow you to know where you stand compared to the most common security mistakes made in the past:

OWASP Top 10 security standards covered by Sonar for version 2021

Category

Python

JS/TS

Java

C#

C/C++

PHP

A01:Broken Access Control

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

A02: Cryptographic Failures

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

A03: Injection

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

A04: Insecure Design

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

A05: Security Misconfiguration

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

A06: Vulnerable and Outdated Components

Checkmark icon

Checkmark icon

A07: Identification and Authentication Failures

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

A08: Software and Data Integrity Failures

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

A09: Security Logging and Monitoring Failures

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

A10: Server-Side Request Forgery

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

CWE Top 25 security standards covered by Sonar for version 2023

Category

Python

JS/TS

Java

C#

C/C++

PHP

CWE-787: Out-of-bounds Write

Checkmark icon

CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

CWE-416: Use After Free

Checkmark icon

CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

CWE-20: Improper Input Validation

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

CWE-125: Out-of-bounds Read

Checkmark icon

CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

CWE-352: Cross-Site Request Forgery (CSRF)

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

CWE-434: Unrestricted Upload of File with Dangerous Type

Checkmark icon

CWE-862: Missing Authorization

CWE-476: NULL Pointer Dereference

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

CWE-287: Improper Authentication

Checkmark icon

CWE-190: Integer Overflow or Wraparound

Checkmark icon

Checkmark icon

Checkmark icon

CWE-502: Deserialization of Untrusted Data

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

CWE-77: Improper Neutralization of Special Elements used in a Command (‘Command Injection’)

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

Checkmark icon

CWE-798: Use of Hard-coded Credentials

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

CWE-918: Server-Side Request Forgery (SSRF)

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

CWE-306: Missing Authentication for Critical Function

CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’)

CWE-269: Improper Privilege Management

Checkmark icon

Checkmark icon

CWE-94: Improper Control of Generation of Code (‘Code Injection’)

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

CWE-863: Incorrect Authorization

CWE-276: Incorrect Default Permissions

They represent the bare minimum to comply with for anyone putting in place a secure development lifecycle.

Security reports rely on the rules activated in your quality profile to raise security issues. If there are no rules corresponding to a given OWASP category activated in your quality profile, you won’t get issues linked to that specific category and the rating displayed will be A. That doesn’t mean you are safe for that category, it implies that you need to activate more rules (assuming some exist) in your quality profile.

What’s the difference between a security hotspot and a vulnerability?

Security hotspots and vulnerabilities differ in that:

  • A security hotspot is a security-sensitive piece of code that is highlighted but doesn’t necessarily impact the overall application security. It’s up to the developer to review the code and determine whether or not a fix is needed to secure the code.

  • A vulnerability is a problem that impacts the application’s security that needs to be fixed immediately.

For more details, see the Managing security hotspots page.

Why don’t I see any vulnerabilities or security hotspots?

You might not see any vulnerabilities or security hotspots for the following reasons:

  • Your code has been written without using any security-sensitive API.

  • Vulnerability or security hotspot rules are available but not activated in your quality profile so no security hotspots or vulnerabilities are raised.

  • SonarQube might not currently have many rules for your language, so it won’t raise any issues or only a few vulnerabilities or security hotspots will be recognized.

Downloading a PDF copy

You can download a PDF copy of your security reports by selecting the Download as PDF button in the upper-right corner of the Security reports page.

The PDF contains:

  • the number of open vulnerabilities and the security rating on both overall code and new code.

  • the number of security hotspots, the percentage of reviewed security hotspots, and the security review rating on both overall and new code.

  • your SonarSource, OWASP Top 10, and CWE Top 25 2020 reports.

Last updated

Was this helpful?