Start Free
2025.1 | User guide | Viewing reports | Security reports

Viewing security reports

On this page

Security reports are available starting in Enterprise Edition.

What do security reports show?

Security reports quickly give you the big picture of your application's security. They allow you to know where you stand compared to the most common security mistakes made in the past:

OWASP Top 10 security standards covered by Sonar for version 2021
CategoryPythonJS/TSJavaC#C/C++PHP
A01:Broken Access Control
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
A02: Cryptographic Failures 
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
A03: Injection
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon

Checkmark icon
A04: Insecure Design
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
A05: Security Misconfiguration
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
A06: Vulnerable and Outdated Components

Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
A07: Identification and Authentication Failures
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
A08: Software and Data Integrity Failures
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon

Checkmark icon
A09: Security Logging and Monitoring Failures
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon

Checkmark icon
A10: Server-Side Request Forgery
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon

Checkmark icon
CWE Top 25 security standards covered by Sonar for version 2023
CategoryPythonJS/TSJavaC#C/C++PHP
CWE-787: Out-of-bounds Write



Checkmark icon

CWE-79:  Improper Neutralization of Input During
Web Page Generation ('Cross-site Scripting')
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon

Checkmark icon
CWE-89: Improper Neutralization of Special
Elements used in an SQL Command ('SQL Injection')
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon

Checkmark icon
CWE-416: Use After Free



Checkmark icon

CWE-78: Improper Neutralization of Special
Elements used in an OS Command
('OS Command Injection')
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon

Checkmark icon
CWE-20: Improper Input Validation
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon

Checkmark icon
CWE-125: Out-of-bounds Read



Checkmark icon

CWE-22: Improper Limitation of a Pathname
to a Restricted Directory ('Path Traversal')
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon

Checkmark icon
CWE-352: Cross-Site Request Forgery (CSRF)
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon

Checkmark icon
CWE-434: Unrestricted Upload of File with
Dangerous Type

Checkmark icon




CWE-862: Missing Authorization





CWE-476: NULL Pointer Dereference
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon

CWE-287: Improper Authentication

Checkmark icon



CWE-190: Integer Overflow or Wraparound

Checkmark icon
Checkmark icon
Checkmark icon

CWE-502: Deserialization of Untrusted Data
Checkmark icon

Checkmark icon
Checkmark icon

Checkmark icon
CWE-77: Improper Neutralization of Special
Elements used in a Command ('Command Injection')
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon

Checkmark icon
CWE-119: Improper Restriction of Operations
within the Bounds of a Memory Buffer




Checkmark icon

CWE-798: Use of Hard-coded Credentials
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
CWE-918: Server-Side Request Forgery (SSRF)
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon

Checkmark icon
CWE-306: Missing Authentication for Critical Function





CWE-362: Concurrent Execution using Shared
Resource with Improper Synchronization
('Race Condition')






CWE-269: Improper Privilege Management
Checkmark icon
Checkmark icon




CWE-94: Improper Control of Generation of
Code ('Code Injection')
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon

Checkmark icon
CWE-863: Incorrect Authorization





CWE-276: Incorrect Default Permissions





They represent the bare minimum compliance for anyone putting in place a secure development lifecycle.

Depending on the configuration of your SonarQube Server instance, security reports are generated with metrics either from Standard Experience or MQR Mode.

What are the differences among the security issues?

Security Hotspots and Security Vulnerabilities (in Standard Experience) or Security issues (in MQR Mode) differ in that:

  • Security Hotspot is a security-sensitive piece of code that is highlighted but doesn't necessarily impact the overall application security. It's up to the developer to review the code and determine whether or not a fix is needed to secure it.
  • Security Vulnerability (in Standard Experience) or Security (in MQR Mode) is a problem that impacts the application's security and needs to be fixed immediately.

For more details, see the Security hotspots page.

Why don't I see any security issues?

A rating is unavailable and displayed as a dash (-) for Security Vulnerabilities (in Standard Experience), Security issues (in MQR Mode), or Security Hotspots for the following reasons:

  • Your code has been written without using any security-sensitive API.
  • Security Vulnerability (in Standard Experience), Security (in MQR Mode), or Security Hotspot rules are available but not activated in your quality profile, so no security issues are being raised. For example. if there are no rules corresponding to a given OWASP category activated in your quality profile, you won't get issues linked to that specific category and the rating displayed will be a dash (-).
  • SonarQube Server might not currently have many rules for your programming language, so it won't raise any issues or only a few security issues are being recognized.

Downloading a PDF copy

You can download a PDF copy of your security reports by clicking Download as PDF in the upper-right corner of the Security reports page.

The PDF contains:

  • the number of open Security Vulnerabilities (in Standard Experience) or Security issues (in MQR Mode) and the security rating on both overall code and new code.
  • the number of Security Hotspots, the percentage of reviewed Security Hotspots, and the security review rating on both overall and new code.
  • your SonarSource, OWASP Top 10, and CWE Top 25 2020 reports.

Was this page helpful?

© 2008-2025 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARQUBE, and CLEAN AS YOU CODE are trademarks of SonarSource SA.

Creative Commons License