# Security reports *Security reports are available starting in* [*Enterprise Edition*](https://www.sonarsource.com/plans-and-pricing/enterprise/)*.* ## What do security reports show? Security reports quickly give you the big picture of your project, application or portfolio's security. They let you to know where you stand compared to the most common security mistakes made in the past: * [OWASP Top 10](https://owasp.org/Top10/) (2025, 2021, 2017)

OWASP Top 10 security standards covered by Sonar for version 2025

Category	Python	JS/TS	Java	C#	C/C++	PHP	Kotlin	Go
A01:Broken Access Control
A02: Security Misconfiguration
A03: Software Supply Chain Failures
A04: Cryptographic Failures
A05: Injection
A06: Insecure design
A07: Authentication Failures
A08: Software and Data Integrity Failures
A09: Logging and Alerting Failures
A10: Mishandling of Exceptional Conditions

* [OWASP Mobile Top 10 2024](https://owasp.org/www-project-mobile-top-10/)

OWASP Mobile Top 10 security standards covered by Sonar for version 2024

Standard	Java	Kotlin	Dart	Swift
M1: Improper Credential Usage
M2: Inadequate Supply Chain Security
M3: Insecure Authentication/Authorization
M4: Insufficient Input/Output Validation
M5: Insecure Communication
M6: Inadequate Privacy Controls
M7: Insufficient Binary Protections
M8: Security Misconfiguration
M9: Insecure Data Storage
M10: Insufficient Cryptography

* [CWE Top 25](https://cwe.mitre.org/top25/archive/2024/2024_cwe_top25.html) (2024, 2023, 2022, and 2021)

CWE Top 25 security standards covered by Sonar for version 2024

Category	Python	JS/TS	Java	C#	C/C++	PHP	Kotlin
CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
CWE-787 Out-of-bounds Write
CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
CWE-352 Cross-Site Request Forgery (CSRF)
CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
CWE-125 Out-of-bounds Read
CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
CWE-416 Use After Free
CWE-862 Missing Authorization
CWE-434 Unrestricted Upload of File with Dangerous Type
CWE-94 Improper Control of Generation of Code (‘Code Injection’)
CWE-20 Improper Input Validation
CWE-77 Improper Neutralization of Special Elements used in a Command (‘Command Injection’)
CWE-287 Improper Authentication
CWE-269 Improper Privilege Management
CWE-502 Deserialization of Untrusted Data
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CWE-863 Incorrect Authorization
CWE-918 Server-Side Request Forgery (SSRF)
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-476 NULL Pointer Dereference
CWE-798 Use of Hard-coded Credentials
CWE-190 Integer Overflow or Wraparound
CWE-400 Uncontrolled Resource Consumption
CWE-306 Missing Authentication for Critical Function

* [CASA](https://appdefensealliance.dev/casa) * [OWASP ASVS](https://owasp.org/www-project-application-security-verification-standard/) (5.0 and 4.0, levels 1, 2, 3) * [OWASP MASVS](https://mas.owasp.org/MASVS/) * [OWASP Top 10 for LLM Applications](https://owasp.org/www-project-top-10-for-large-language-model-applications/) (2025) * [PCI DSS](https://www.pcisecuritystandards.org/) (4.0 and 3.2) * [STIG ASD](https://www.cyber.mil/stigs/) (6 and 5) They represent the bare minimum compliance for anyone putting in place a secure development lifecycle. Depending on the configuration of your SonarQube Server instance, security reports are generated with metrics either from [standard-experience](https://docs.sonarsource.com/sonarqube-server/instance-administration/analysis-functions/instance-mode/standard-experience "mention") or [mqr-mode](https://docs.sonarsource.com/sonarqube-server/instance-administration/analysis-functions/instance-mode/mqr-mode "mention"). ### Software Composition Analysis (SCA) in security reports If you have [SonarQube Advanced Security](https://www.sonarsource.com/solutions/security/), the reports include Software Composition Analysis (SCA) data in a **Dependency Risk** column for project, application and portfolio-level reports in both the SonarQube Server UI and exported PDFs. See [advanced-security](https://docs.sonarsource.com/sonarqube-server/advanced-security "mention") for more details. ## What are the differences among the security issues? Security Hotspots and Security Vulnerabilities (in Standard Experience) or Security issues (in MQR Mode) differ in that: * Security Hotspot is a security-sensitive piece of code that is highlighted but doesn’t necessarily impact the overall application security. It’s up to the developer to review the code and determine whether or not a fix is needed to secure it. * Security Vulnerability (in Standard Experience) or Security (in MQR Mode) is a problem that impacts the application’s security and needs to be fixed immediately. For more details, see the [security-hotspots](https://docs.sonarsource.com/sonarqube-server/user-guide/security-hotspots "mention") page. ## Why don’t I see any security issues? A rating is unavailable and displayed as a dash (-) for Security Vulnerabilities (in Standard Experience), Security issues (in MQR Mode), or Security Hotspots for the following reasons: * Your code has been written without using any security-sensitive API. * Security Vulnerability (in Standard Experience), Security (in MQR Mode), or Security Hotspot rules are available but not activated in your quality profile, so no security issues are being raised. For example. if there are no rules corresponding to a given OWASP category activated in your quality profile, you won’t get issues linked to that specific category and the rating displayed will be a dash (-). * SonarQube Server might not currently have many rules for your programming language, so it won’t raise any issues or only a few security issues are being recognized. ## Downloading a PDF copy You can download a PDF copy of your security report for projects and applications:

Downloading a PDF copy of your security report

1. Retrieve your project or application. See [retrieving-projects](https://docs.sonarsource.com/sonarqube-server/user-guide/viewing-projects/retrieving-projects "mention") for more information. 2. Go to **Security reports** and select **Download security report (PDF)**. The PDF contains: * The number of open Security Vulnerabilities (in Standard Experience) or Security issues (in MQR Mode) and the security rating on both overall code and new code. * The number of Security Hotspots, the percentage of reviewed Security Hotspots, and the security review rating on both overall and new code. * Your Sonar, OWASP, CWE reports. ## Related pages * [pdf-reports](https://docs.sonarsource.com/sonarqube-server/user-guide/viewing-reports/pdf-reports "mention") * [regulatory-reports](https://docs.sonarsource.com/sonarqube-server/user-guide/viewing-reports/regulatory-reports "mention") * [portfolios](https://docs.sonarsource.com/sonarqube-server/user-guide/viewing-reports/portfolios "mention") * [#downloading-a-dependency-risk-report](https://docs.sonarsource.com/sonarqube-server/advanced-security/reviewing-and-fixing-dependency-risks#downloading-a-dependency-risk-report "mention")