# Security reports *Security reports are available starting in* [*Enterprise Edition*](https://www.sonarsource.com/plans-and-pricing/enterprise/)*.* ## What do security reports show? Security reports quickly give you the big picture of your application’s security. They allow you to know where you stand compared to the most common security mistakes made in the past: * [OWASP Top 10](https://owasp.org/Top10/) (versions 2021 and 2017)
OWASP Top 10 security standards covered by Sonar for version 2021 | | | | | | | | | ----------------------------------------------- | ---------------------------------------------- | ---------------------------------------------- | ---------------------------------------------- | ---------------------------------------------- | ---------------------------------------------- | ---------------------------------------------- | | **Category** | **Python** | **JS/TS** | **Java** | **C#** | **C/C++** | **PHP** | | A01:Broken Access Control | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | | A02: Cryptographic Failures | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | | A03: Injection | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) |


| ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | | A04: Insecure Design | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | | A05: Security Misconfiguration | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | | A06: Vulnerable and Outdated Components |


|


| ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) |


| ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) |


| | A07: Identification and Authentication Failures | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | | A08: Software and Data Integrity Failures | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) |


| ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | | A09: Security Logging and Monitoring Failures | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) |


| ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | | A10: Server-Side Request Forgery | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) |


| ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) |
* [CWE Top 25](https://cwe.mitre.org/top25/archive/2023/2023_top25_list.html) (versions 2023, 2022, and 2021)
CWE Top 25 security standards covered by Sonar for version 2023 | | | | | | | | | ----------------------------------------------------------------------------------------------------------------- | ---------------------------------------------- | ---------------------------------------------- | ---------------------------------------------- | ---------------------------------------------- | ---------------------------------------------- | ---------------------------------------------- | | **Category** | **Python** | **JS/TS** | **Java** | **C#** | **C/C++** | **PHP** | | CWE-787: Out-of-bounds Write |


|


|


|


| ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) |


| |

CWE-79: Improper Neutralization of Input During
Web Page Generation (‘Cross-site Scripting’)

| ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) |


| ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | |

CWE-89: Improper Neutralization of Special
Elements used in an SQL Command (‘SQL Injection’)

| ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) |


| ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | | CWE-416: Use After Free |


|


|


|


| ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) |


| |

CWE-78: Improper Neutralization of Special
Elements used in an OS Command
(‘OS Command Injection’)

| ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) |


| ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | | CWE-20: Improper Input Validation | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) |


| ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | | CWE-125: Out-of-bounds Read |


|


|


|


| ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) |


| |

CWE-22: Improper Limitation of a Pathname
to a Restricted Directory (‘Path Traversal’)

| ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) |


| ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | | CWE-352: Cross-Site Request Forgery (CSRF) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) |


| ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | |

CWE-434: Unrestricted Upload of File with
Dangerous Type

|


| ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) |


|


|


|


| | CWE-862: Missing Authorization |


|


|


|


|


|


| | CWE-476: NULL Pointer Dereference | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) |


| | CWE-287: Improper Authentication |


|


| ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) |


|


|


| | CWE-190: Integer Overflow or Wraparound |


|


| ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) |


| | CWE-502: Deserialization of Untrusted Data | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) |


| ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) |


| ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | |

CWE-77: Improper Neutralization of Special
Elements used in a Command (‘Command Injection’)

| ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) |


| ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | |

CWE-119: Improper Restriction of Operations
within the Bounds of a Memory Buffer

|


|


|


|


| ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) |


| | CWE-798: Use of Hard-coded Credentials | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | | CWE-918: Server-Side Request Forgery (SSRF) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) |


| ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | | CWE-306: Missing Authentication for Critical Function |


|


|


|


|


|


| |

CWE-362: Concurrent Execution using Shared
Resource with Improper Synchronization
(‘Race Condition’)

|


|


|


|


|


|


| | CWE-269: Improper Privilege Management | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) |


|


|


|


| |

CWE-94: Improper Control of Generation of
Code (‘Code Injection’)

| ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) |


| ![Checkmark icon](/files/VLvbxqoHTSaZuVE0vtQT) | | CWE-863: Incorrect Authorization |


|


|


|


|


|


| | CWE-276: Incorrect Default Permissions |


|


|


|


|


|


|
* [OWASP ASVS 4.0 Level 1, 2, 3](https://owasp.org/www-project-application-security-verification-standard/) * [PCI DSS](https://www.pcisecuritystandards.org/) (versions 4.0 and 3.2.1) * [CASA](https://appdefensealliance.dev/casa) * [STIG](https://public.cyber.mil/stigs/) They represent the bare minimum compliance for anyone putting in place a secure development lifecycle. Depending on the configuration of your SonarQube Server instance, security reports are generated with metrics either from [Standard Experience](/sonarqube-server/2025.2/instance-administration/analysis-functions/instance-mode/standard-experience.md) or [MQR mode](/sonarqube-server/2025.2/instance-administration/analysis-functions/instance-mode/mqr-mode.md). ## What are the differences among the security issues? Security Hotspots and Security Vulnerabilities (in Standard Experience) or Security issues (in MQR Mode) differ in that: * Security Hotspot is a security-sensitive piece of code that is highlighted but doesn’t necessarily impact the overall application security. It’s up to the developer to review the code and determine whether or not a fix is needed to secure it. * Security Vulnerability (in Standard Experience) or Security (in MQR Mode) is a problem that impacts the application’s security and needs to be fixed immediately. For more details, see the [Managing Security Hotspots](/sonarqube-server/2025.2/user-guide/security-hotspots.md) page. ## Why don’t I see any security issues? A rating is unavailable and displayed as a dash (-) for Security Vulnerabilities (in Standard Experience), Security issues (in MQR Mode), or Security Hotspots for the following reasons: * Your code has been written without using any security-sensitive API. * Security Vulnerability (in Standard Experience), Security (in MQR Mode), or Security Hotspot rules are available but not activated in your quality profile, so no security issues are being raised. For example. if there are no rules corresponding to a given OWASP category activated in your quality profile, you won’t get issues linked to that specific category and the rating displayed will be a dash (-). * SonarQube Server might not currently have many rules for your programming language, so it won’t raise any issues or only a few security issues are being recognized. ## Downloading a PDF copy You can download a PDF copy of your security reports by clicking **Download as PDF** in the upper-right corner of the **Security reports** page. The PDF contains: * the number of open Security Vulnerabilities (in Standard Experience) or Security issues (in MQR Mode) and the security rating on both overall code and new code. * the number of Security Hotspots, the percentage of reviewed Security Hotspots, and the security review rating on both overall and new code. * your Sonar, OWASP Top 10, and CWE Top 25 2020 reports. ## Related pages * [PDF reports](/sonarqube-server/2025.2/user-guide/viewing-reports/pdf-reports.md) * [Regulatory reports](/sonarqube-server/2025.2/user-guide/viewing-reports/regulatory-reports.md) * [Portfolios](/sonarqube-server/2025.2/user-guide/viewing-reports/portfolios.md) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.sonarsource.com/sonarqube-server/2025.2/user-guide/viewing-reports/security-reports.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.