Have you ever wondered how secure is your project? Do you want to know which security vulnerabilities you need to focus on?
Based on OWASP Top 10, CWE SANS Top 25, OWASP ASVS and CERT security standards, Security Plugin for SonarQube™ gathers a list of vulnerabilities detected in the form of issues in SonarQube™, letting you know the security level of the whole project.
The plugin includes OWASP Top 10 2017 categories, that groups the most important security aspects to take in mind in any application and the 2021 CWE Top 25 Most Dangerous Software Weaknesses.
From version 2.8 the plugin includes a security assessment for OWASP Application Security Verification Standard (OWASP ASVS), with details about chapter, sections and requirements. Read our blog post for more information!
Security Plugin for SonarQube™ will provide you a new brand security space in your SonarQube™ project where you will be able to see all the details about the security assessment.
Security Plugin for SonarQube™ is a perfect tool for those developers who worry about the quality and security of their code. Representing the level of security risk of your project through the following factors, makes it much more easier for you to manage your code security.
Technical debt: Technical debt value corresponding to the security issues of the project.
Risk factor: Percentage value (%) that indicates how vulnerable is your project, taking into account the total number of issues detected as well as the size of our project. Moreover, we’ve developed an interpretation of this value through a series of ratings.
Violations density: Percentage value (%) that represents the amount of issues in relation with the security of your project.
You will find all your OWASP or CWE issues (vulnerabilities and hotspots) in one page ordered by severity.
Moreover, the plugin will add new metrics so that you can use them in your Quality Gate like:
OWASP/CWE issues by severity: provides metrics to know your OWASP/CWE compliance.
OWASP/CWE rating: similar to security rating but only for OWASP/CWE issues.