Security Assessment for SonarQube™ Cloud

Provides insights into the security standards compliance of your projects (OWASP Top 10, CWE SANS Top 25, OWASP ASVS), including risk factors, vulnerabilities, and hotspots by SonarQube™ Cloud categories.

TRY    BUY

Download Security Reports in PDF from SonarQube™ Cloud

With support for OWASP Top 10, CWE Top 25, and OWASP ASVS, this solution generates PDF reports showing the critical vulnerabilities of your SonarQube™ Cloud (SonarCloud™) projects, helping you comply with the most important security standards.

This command-line application provides predefined PDF reports that offer clear, executive-level information about the security status of your code.


OWASP Top 10 PDF Report for SonarQube™ Cloud

The OWASP Top 10 lists the ten most critical security risks for web applications, helping developers and organizations protect their projects. Maintained by OWASP, a leader in software security.

This solution allows exporting reports OWASP Top 10 2021 and OWASP Top 10 2017 directly to PDF.


CWE Top 25 PDF Report: Prioritize Critical Weaknesses

CWE Top 25 provides a common language to identify and prioritize the most critical software weaknesses, enabling better risk prevention and mitigation. Maintained by MITRE Corporation.
Security Assessment for SonarQube™ Cloud (SonarCloud™) supports PDF generation for CWE Top 25 2022, 2021, 2020, and 2019.

bitegarden Security Assessment for SonarCloud™ supports PDF generation for CWE Top 25 2022, CWE Top 25 2021, CWE Top 25 2020, and CWE Top 25 2019.


OWASP ASVS PDF Report: Verify Your Application Security

OWASP ASVS defines security tests for architects, developers, and testers, helping ensure secure applications.

Security Assessment for SonarQube™ Cloud (SonarCloud™) allows generating PDFs with complete OWASP ASVS information.

bitegarden Security Assessment for SonarCloud™ supports PDF generation for OWASP ASVS.


ISO 5055 PDF Report: Evaluate Reliability and Security

ISO/IEC 5055:2021 measures the internal structure of software across Security, Reliability, Performance, and Maintainability, determining system robustness and reliability.

The tool supports PDF generation according to the ISO/IEC 5055:2021 standard.

bitegarden Security Assessment for SonarQube™ Cloud (SonarCloud) supports PDF generation for ISO/IEC 5055:2021.



Try Buy


Looking for PDF report generation for SonarQube™ Server? Check out bitegarden Security Plugin for SonarQube™ Server.

 

OWASP 2021 sample page

 

ISO 5055 sample page

Features

Main features include:

- Java Command Line Tool that can be used standalone or integrated into your CI/CD tool as a step to automatically generate the report.

- SonarCloud™ OWASP Top 10 in PDF to verify your code against the standard, including all the security metrics vulnerabilities.

- SonarCloud™ CWE Top 25 in PDF with to verify your code against the CWE Top 25 Most Dangerous Software Weaknesses.

Additional options

PDF generation includes additional customizations:

- Support for branches: generate PDF reports for any of your project branches.
- Support for all SonarCloud™ languages and technologies.
- Support for custom footer logo to add your organization logo.
- Support for english and spanish reports.

 

SonarQube Cloud Security

Frequently Asked Questions (FAQ)

Which OWASP Top 10 versions are supported?

Supports OWASP Top 10 2017 and 2021.

Can I generate reports for multiple branches?

Yes, the tool allows PDF generation for any branch of your SonarCloud™ project.

In which languages are the reports available?

Reports can be generated in English and Spanish.

Getting Started

bitegarden Security Report for SonarCloud™ requires Java 8 or later.


How to generate PDF security reports for projects in SonarCloud™


Here you have a quick usage guide to generate PDF security reports from SonarCloud™.

Once you have downloaded the product you will have an auto executable "jar" file.

Just put it anywhere in your filesystem and run the jar with --help option to see all the available options: 

java -jar bitegarden-sonarcloud-security.jar --help

You will get something like this: 

...
Mandatory properties:

                      sonar.token = your user security token to authenticate against SonarCloud.
                                    It is recommended to generate a new token for this app.
                 sonar.projectKey = the project key from SonarCloud. You can find it in SonarCloud project information
            sonar.organizationKey = the SonarCloud organization the project belongs to

          Optional properties:

                      report.type = owasp-top-10-2021 (default value)
                                    owasp-top-10-2017
                                    cwe-top-25-2022
                                    cwe-top-25-2021
                                    cwe-top-25-2020
                                    cwe-top-25-2019
                                    owasp-asvs
                                    iso-5055

                     sonar.branch = the branch where we will get the information for the report (default is main branch)
                       footer.url = URL of the image to display centered in footer (PNG or JPG format are supported)
                      user.locale = Locale to use for generated PDF file. Options are English (user.locale=en) or Spanish (user.locale=es)
                           output = File name for the generated report
            report.optional.label = Extra optional label (To display optional label, its required optional value too, else, it won't be rendered)
            report.optional.value = Description for the optional value
disable.iso5055.not.supported.cwe = If you want to show Not Supported CWE, change that option to false (default is true)

...

All the properties should be passed to the command line app using Java system properties with "-D" or using a custom properties file.

If you use a custom properties file you should run the application with the "config.file" parameter and provide the path to the properties file: 

java -Dconfig.file=myreportconfig.properties -jar bitegarden-sonarcloud-security.jar

If you just want to pass the required parameters through system properties use "-D" arguments when running the report: 

java -Dsonar.token=mytoken -Dsonar.projectKey=myprojectkey -Dsonar.organizationKey=myorg -Dreport.type=cwe-top-25-2021 -jar bitegarden-sonarcloud-security.jar

If a property is defined in both locations (file and command line args) the command line property will override the property in the file. This way you can have a generic configuration file with the common properties (sonar.token, sonar.organizationKey, report.type, ...) and then use command line args for specific properties like sonar.projectKey or sonar.branch.

Running the report with a license key

By default when you download the product you will be able to use it during 14 days. Once your evaluation is finished, you will need to purchase the product and get a valid license key.

The license key will be provided as a text file. In order to use this license file you must set the property "license.file" in your configuration file (or through command line args) with the path of your license file.

This is a sample running a licensed product using a command line argument: 

java -Dconfig.file=myreportconfig.properties -Dlicense.file=PATH_TO_LICENSE_FILE -jar bitegarden-sonarcloud-security.jar

It is up to you to include the "license.file" property in your configuration file or use it as a command line argument with "-D".

Troubleshooting and Support

When you run the reports the product will display all the information for both the license and the configuration on the standard output. If you have any problem please open a support request in our customer portal and we will be happy to help you find a solution.

Request Support

Get your SonarCloud™ OWASP Top 10 and CWE Top 25 reports right now!



Free Trial

Evaluation license

  • 14 days evaluation license
  • After submitting the form your download will start including an embedded trial key

Buy License

600 €/year

  • Per organization of SonarCloud
  • Including upgrading and support.
  • When you purchase the producct you agree with terms and conditions.
  • Don't forget to include your email. We will send the license to that email.