Note: Understanding the Limitations of Sonar in OWASP Security Analysis
Sonar is generally effective at detecting many OWASP-related security issues. However, there may be certain limitations and aspects that Sonar might not effectively detect or address:
False Positives: Like many automated code analysis tools, Sonar can sometimes produce false positives, flagging code as vulnerable when it is not. This can lead to noise in the results and require manual validation.
Contextual Understanding: Sonar primarily relies on static analysis, which means it may not fully understand the context in which the code operates. This can lead to issues with detecting some complex vulnerabilities or providing false negatives.
Business Logic Flaws: Sonar is primarily focused on identifying common security vulnerabilities rather than business logic flaws, which may require manual testing or specialized tools.
Zero-Day Vulnerabilities: Sonar's rules and plugins are based on known vulnerabilities and attack patterns. It may not detect brand new or zero-day vulnerabilities until they are documented and added to its rule sets.
Non-Code Security Issues: Sonar primarily focuses on code-level vulnerabilities. It may not detect other security issues related to server configuration, network architecture, or deployment environments.
To ensure that the project is thoroughly secure, it's recommended to consider the following:
OWASP Application Security Verification Standard (ASVS): To achieve a comprehensive level of security, the project should aim to pass the official OWASP ASVS. This standard provides a detailed checklist of security controls and verification requirements. https://owasp.org/www-project-application-security-verification-standard/
OWASP Web Security Testing Guide: Refer to the OWASP Web Security Testing Guide for guidance on performing security testing and assessments beyond what automated tools like Sonar can offer. It provides insights into various testing techniques and methodologies. https://owasp.org/www-project-web-security-testing-guide/
Vulnerable and Outdated Components (A06:2021-Vulnerable and Outdated Components): Note that Sonar may not effectively detect this category of vulnerabilities. To address it, consider using the OWASP Dependency-Check tool, available on the OWASP website. This tool helps identify and manage vulnerable components and libraries in your project's dependencies. https://owasp.org/www-project-dependency-check/
By combining the capabilities of Sonar with these additional measures and tools, you can enhance the security of the project and minimize the risk of OWASP-related vulnerabilities going undetected.
List of Python sonar security rules categorized by OWASP TOP 10:2021
A01:2021-Broken Access Control
Vulnerability:
https://rules.sonarsource.com/python/type/Vulnerability/RSPEC-5146/
https://rules.sonarsource.com/python/type/Vulnerability/RSPEC-2083/ (also A03)
https://rules.sonarsource.com/python/type/Vulnerability/RSPEC-6317/
https://rules.sonarsource.com/python/type/Vulnerability/RSPEC-5445/
https://rules.sonarsource.com/python/type/Vulnerability/RSPEC-6321/
Security Hotspot:
https://rules.sonarsource.com/python/type/Security%20Hotspot/RSPEC-6333/
https://rules.sonarsource.com/python/type/Security%20Hotspot/RSPEC-6329/
https://rules.sonarsource.com/python/type/Security%20Hotspot/RSPEC-6304/
https://rules.sonarsource.com/python/type/Security%20Hotspot/RSPEC-6302/
https://rules.sonarsource.com/python/type/Security%20Hotspot/RSPEC-6270/
https://rules.sonarsource.com/python/type/Security%20Hotspot/RSPEC-6265/
https://rules.sonarsource.com/python/type/Security%20Hotspot/RSPEC-6281/ (also A05)
https://rules.sonarsource.com/python/type/Security%20Hotspot/RSPEC-5443/
https://rules.sonarsource.com/python/type/Security%20Hotspot/RSPEC-5042/ (also A05)
https://rules.sonarsource.com/python/type/Security%20Hotspot/RSPEC-4502/
https://rules.sonarsource.com/python/type/Security%20Hotspot/RSPEC-6463/
https://rules.sonarsource.com/python/type/Security%20Hotspot/RSPEC-2612/ (also A04)
https://rules.sonarsource.com/python/type/Security%20Hotspot/RSPEC-3752/ (also A04)
https://rules.sonarsource.com/python/type/Security%20Hotspot/RSPEC-1313/
A02:2021-Cryptographic Failures
Vulnerability:
https://rules.sonarsource.com/python/type/Vulnerability/RSPEC-5659/
https://rules.sonarsource.com/python/type/Vulnerability/RSPEC-5547/
https://rules.sonarsource.com/python/type/Vulnerability/RSPEC-5542/
https://rules.sonarsource.com/python/type/Vulnerability/RSPEC-5527/ (also A05 and A07)
https://rules.sonarsource.com/python/type/Vulnerability/RSPEC-4830/ (also A05 and A07)
https://rules.sonarsource.com/python/type/Vulnerability/RSPEC-4426/
https://rules.sonarsource.com/python/type/Vulnerability/RSPEC-4423/
https://rules.sonarsource.com/python/type/Vulnerability/RSPEC-3329/
https://rules.sonarsource.com/python/type/Vulnerability/RSPEC-2053/
Security Hotspot:
https://rules.sonarsource.com/python/type/Security%20Hotspot/RSPEC-5332/
https://rules.sonarsource.com/python/type/Security%20Hotspot/RSPEC-4790/
https://rules.sonarsource.com/python/type/Security%20Hotspot/RSPEC-2257/
https://rules.sonarsource.com/python/type/Security%20Hotspot/RSPEC-2245/
https://rules.sonarsource.com/python/type/Security%20Hotspot/RSPEC-6332/ (also A04 and A05)
https://rules.sonarsource.com/python/type/Security%20Hotspot/RSPEC-6330/ (also A04 and A05)
https://rules.sonarsource.com/python/type/Security%20Hotspot/RSPEC-6327/ (also A04 and A05)
https://rules.sonarsource.com/python/type/Security%20Hotspot/RSPEC-6319/ (also A04 and A05)
https://rules.sonarsource.com/python/type/Security%20Hotspot/RSPEC-6308/ (also A04 and A05)
A03:2021-Injection
Vulnerability:
https://rules.sonarsource.com/python/type/Vulnerability/RSPEC-5496/
https://rules.sonarsource.com/python/type/Vulnerability/RSPEC-5334/
https://rules.sonarsource.com/python/type/Vulnerability/RSPEC-5147/
https://rules.sonarsource.com/python/type/Vulnerability/RSPEC-5131/ https://rules.sonarsource.com/python/type/Vulnerability/RSPEC-3649/
https://rules.sonarsource.com/python/type/Vulnerability/RSPEC-2091/
https://rules.sonarsource.com/python/type/Vulnerability/RSPEC-2083/ (also A01)
https://rules.sonarsource.com/python/type/Vulnerability/RSPEC-2078/
https://rules.sonarsource.com/python/type/Vulnerability/RSPEC-2076/
https://rules.sonarsource.com/python/type/Vulnerability/RSPEC-2631/
https://rules.sonarsource.com/python/type/Vulnerability/RSPEC-6287/
https://rules.sonarsource.com/python/type/Vulnerability/RSPEC-5145/ (also A09)
Security Hotspot:
A04:2021-Insecure Design
Vulnerability:
Security Hotspot:
https://rules.sonarsource.com/python/type/Security%20Hotspot/RSPEC-6332/ (also A02 and A05)
https://rules.sonarsource.com/python/type/Security%20Hotspot/RSPEC-6330/ (also A02 and A05)
https://rules.sonarsource.com/python/type/Security%20Hotspot/RSPEC-6327/ (also A02 and A05)
https://rules.sonarsource.com/python/type/Security%20Hotspot/RSPEC-6319/ (also A02 and A05)
https://rules.sonarsource.com/python/type/Security%20Hotspot/RSPEC-6308/ (also A02 and A05)
https://rules.sonarsource.com/python/type/Security%20Hotspot/RSPEC-6275/ (also A05)
https://rules.sonarsource.com/python/type/Security%20Hotspot/RSPEC-2612/ (also A01)
https://rules.sonarsource.com/python/type/Security%20Hotspot/RSPEC-6245/ (also A05)
https://rules.sonarsource.com/python/type/Security%20Hotspot/RSPEC-3752/ (also A01)
https://rules.sonarsource.com/python/type/Security%20Hotspot/RSPEC-2092/ (also A05)
A05:2021-Security Misconfiguration
Vulnerability:
Security Hotspot:
https://rules.sonarsource.com/python/type/Security%20Hotspot/RSPEC-6281/ (also A01)
https://rules.sonarsource.com/python/type/Security%20Hotspot/RSPEC-5042/ (also A01)
https://rules.sonarsource.com/python/type/Security%20Hotspot/RSPEC-6332/ (also A02 and A04)
https://rules.sonarsource.com/python/type/Security%20Hotspot/RSPEC-6330/ (also A02 and A04)
https://rules.sonarsource.com/python/type/Security%20Hotspot/RSPEC-6327/ (also A02 and A05)
https://rules.sonarsource.com/python/type/Security%20Hotspot/RSPEC-6319/ (also A02 and A05)
https://rules.sonarsource.com/python/type/Security%20Hotspot/RSPEC-6308/ (also A02 and A05)
https://rules.sonarsource.com/python/type/Security%20Hotspot/RSPEC-6275/ (also A04)
https://rules.sonarsource.com/python/type/Security%20Hotspot/RSPEC-6252/
https://rules.sonarsource.com/python/type/Security%20Hotspot/RSPEC-6245/ (also A04)
https://rules.sonarsource.com/python/type/Security%20Hotspot/RSPEC-5122/ (also A07)
https://rules.sonarsource.com/python/type/Security%20Hotspot/RSPEC-4507/
https://rules.sonarsource.com/python/type/Security%20Hotspot/RSPEC-3330/
https://rules.sonarsource.com/python/type/Security%20Hotspot/RSPEC-2092/ (also A04)
A06:2021-Vulnerable and Outdated Components
Sonar doesn’t have an ability to detect this. There is a tool available on OWASP site to check dependencies.
https://owasp.org/www-project-dependency-check/
Vulnerability:
Security Hotspot
A07:2021-Identification and Authentication Failures
Vulnerability:
https://rules.sonarsource.com/python/type/Vulnerability/RSPEC-6437/
https://rules.sonarsource.com/python/type/Vulnerability/RSPEC-2115/
https://rules.sonarsource.com/python/type/Vulnerability/RSPEC-5527/ (also A02 and A05)
https://rules.sonarsource.com/python/type/Vulnerability/RSPEC-4830/ (also A02 and A05)
https://rules.sonarsource.com/python/type/Vulnerability/RSPEC-4433/
Security Hotspot:
A08:2021-Software and Data Integrity Failures
Vulnerability:
Security Hotspot
A09:2021-Security Logging and Monitoring Failures
Vulnerability:
Security Hotspot:
A10:2021-Server-Side Request Forgery
Vulnerability:
Security Hotspot
List of JavaScript sonar security rules categorized by OWASP TOP 10:2021
A01:2021-Broken Access Control
Vulnerability:
https://rules.sonarsource.com/javascript/type/Vulnerability/RSPEC-6105/
https://rules.sonarsource.com/javascript/type/Vulnerability/RSPEC-6096/
https://rules.sonarsource.com/javascript/type/Vulnerability/RSPEC-5146/
https://rules.sonarsource.com/javascript/type/Vulnerability/RSPEC-2083/ (also A03)
https://rules.sonarsource.com/javascript/type/Vulnerability/RSPEC-6317/
https://rules.sonarsource.com/javascript/type/Vulnerability/RSPEC-2819/
https://rules.sonarsource.com/javascript/type/Vulnerability/RSPEC-6321/
Security Hotspot:
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-6333/
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-6329/
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-6302/
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-6270/
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-6265/
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-6281/ (also A05)
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-5443/
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-5042/ (also A05)
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-4502/
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-5604/
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-2612/ (also A04)
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-5736/
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-1313/
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-6304/
A02:2021-Cryptographic Failures
Vulnerability:
https://rules.sonarsource.com/javascript/type/Vulnerability/RSPEC-5659/
https://rules.sonarsource.com/javascript/type/Vulnerability/RSPEC-5547/
https://rules.sonarsource.com/javascript/type/Vulnerability/RSPEC-5542/
https://rules.sonarsource.com/javascript/type/Vulnerability/RSPEC-5527/ (also A05 and A07)
https://rules.sonarsource.com/javascript/type/Vulnerability/RSPEC-4830/ (also A05 and A07)
https://rules.sonarsource.com/javascript/type/Vulnerability/RSPEC-4426/
https://rules.sonarsource.com/javascript/type/Vulnerability/RSPEC-4423/
Security Hotspot:
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-6249/ (also A05)
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-5332/
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-4790/
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-2245/
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-6332/ (also A04 and A05)
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-6330/ (also A04 and A05)
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-6327/ (also A04 and A05)
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-6319/ (also A04 and A05)
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-6308/ (also A04 and A05)
A03:2021-Injection
Vulnerability:
https://rules.sonarsource.com/javascript/type/Vulnerability/RSPEC-5696/
https://rules.sonarsource.com/javascript/type/Vulnerability/RSPEC-5334/
https://rules.sonarsource.com/javascript/type/Vulnerability/RSPEC-5147/
https://rules.sonarsource.com/javascript/type/Vulnerability/RSPEC-5131/
https://rules.sonarsource.com/javascript/type/Vulnerability/RSPEC-3649/
https://rules.sonarsource.com/javascript/type/Vulnerability/RSPEC-2083/ (also A01)
https://rules.sonarsource.com/javascript/type/Vulnerability/RSPEC-2076/
https://rules.sonarsource.com/javascript/type/Vulnerability/RSPEC-2631/
https://rules.sonarsource.com/javascript/type/Vulnerability/RSPEC-6287/
https://rules.sonarsource.com/javascript/type/Vulnerability/RSPEC-5883/
Security Hotspot:
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-6299/
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-6268/
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-5852/
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-1523/
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-6350/
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-5247/
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-4721/
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-2077/
A04:2021-Insecure Design
Vulnerability:
Security Hotspot:
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-6332/ (also A02 and A05)
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-6330/ (also A02 and A05)
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-6327/ (also A02 and A05)
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-6319/ (also A02 and A05)
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-6308/ (also A02 and A05)
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-6275/ (also A05)
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-2612/ (also A01)
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-6245/ (also A05)
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-5732/ (also A05)
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-2092/ (also A05)
A05:2021-Security Misconfiguration
Vulnerability:
Security Hotspot:
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-6281/ (also A01)
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-6249/ (also A02)
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-5042/ (also A01)
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-6332/ (also A02 and A04)
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-6330/ (also A02 and A04)
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-6327/ (also A02 and A04)
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-6319/ (also A02 and A04)
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-6308/ (also A02 and A04)
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-6275/ (also A04)
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-5693/
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-5691/
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-6252/
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-6245/ (also A04)
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-5759/
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-5743/
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-5742/
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-5739/
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-5734/
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-5732/ (also A04)
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-5730/
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-5728/
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-5689/
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-5148/
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-5122/ (also A07)
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-4507/
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-3330/
https://rules.sonarsource.com/javascript/type/Security%20Hotspot/RSPEC-2092/ (also A04)
A06:2021-Vulnerable and Outdated Components
Sonar doesn’t have an ability to detect this. There is a tool available on OWASP site to check dependencies.
https://owasp.org/www-project-dependency-check/
Vulnerability:
Security Hotspot
A07:2021-Identification and Authentication Failures
Vulnerability:
Security Hotspot:
A08:2021-Software and Data Integrity Failures
Vulnerability:
Security Hotspot:
A09:2021-Security Logging and Monitoring Failures
Vulnerability:
Security Hotspot:
A10:2021-Server-Side Request Forgery
Vulnerability:
Security Hotspot
List of Docker sonar security rules categorized by OWASP TOP 10:2021
A01:2021-Broken Access Control
Vulnerability:
Security Hotspot:
A02:2021-Cryptographic Failures
Vulnerability:
Security Hotspot:
A03:2021-Injection
Vulnerability:
Security Hotspot:
A04:2021-Insecure Design
Vulnerability:
Security Hotspot:
A05:2021-Security Misconfiguration
Vulnerability:
https://rules.sonarsource.com/docker/type/Vulnerability/RSPEC-4830/ (also A02 and A07)
Security Hotspot:
A06:2021-Vulnerable and Outdated Components
Sonar doesn’t have an ability to detect this. There is a tool available on OWASP site to check dependencies.
https://owasp.org/www-project-dependency-check/
Vulnerability:
Security Hotspot
A07:2021-Identification and Authentication Failures
Vulnerability:
https://rules.sonarsource.com/docker/type/Vulnerability/RSPEC-4830/ (also A02 and A05)
Security Hotspot:
A08:2021-Software and Data Integrity Failures
Vulnerability:
Security Hotspot:
A09:2021-Security Logging and Monitoring Failures
Vulnerability:
Security Hotspot:
A10:2021-Server-Side Request Forgery
Vulnerability:
Security Hotspot