SONAR-14459 [DOCS] Add CWE Top 25 reports

- mark as outdated Sans Top 25 report

diff --git a/server/sonar-docs/src/pages/user-guide/built-in-rule-tags.md b/server/sonar-docs/src/pages/user-guide/built-in-rule-tags.md
index 6ef0dedd6bb3d50bf01e98689c9ba1aabea4793d..80499a74e0ec16842ebb225835d507e628d7f849 100644 (file)
--- a/server/sonar-docs/src/pages/user-guide/built-in-rule-tags.md
+++ b/server/sonar-docs/src/pages/user-guide/built-in-rule-tags.md
@@ -18,7 +18,7 @@ Tags are a way to categorize rules and issues. Issues inherit the tags on the ru
 * [misra](https://rules.sonarsource.com/java/tag/misra) - relates to a rule in one of the [MISRA](http://www.misra.org.uk/) standards. While the MISRA rules are primarily about C and C++, many of them are not language-specific (E.G. don't use a float as a loop counter) but are simply good programming practices. That's why you'll see these tags on non-C/C++ rules.
 * [owasp](https://rules.sonarsource.com/java/tag/owasp) - relates to a rule in the [OWASP Top Ten](https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project) security standards. Note, that the OWASP Top Ten is a list of high-level vulnerabilities which translates to many, many potential rules.
 * [pitfall](https://rules.sonarsource.com/java/tag/pitfall) - nothing is wrong yet, but something could go wrong in the future; a trap has been set for the next guy and he'll probably fall into it and screw up the code.
-* [sans-top25](https://rules.sonarsource.com/java/tag/sans-top25) - relates to the [SANS Top 25 Coding Errors](http://www.sans.org/top25-software-errors/), which are security-related. Note that  the SANS Top 25 list is pulled directly from the CWE.
+* [sans-top25](https://rules.sonarsource.com/java/tag/sans-top25) - This tag is based on outdated statistics and should no longer be used. Instead, it's recommended to rely on the "CWE Top 25" reports, which are available in [Enterprise Edition](https://redirect.sonarsource.com/editions/enterprise.html).
 * [suspicious](https://rules.sonarsource.com/java/tag/suspicious) - it's not guaranteed that this is a **bug**, but it looks suspiciously like one. At the very least, the code should be re-examined & likely refactored for clarity.
 * [unpredictable](https://rules.sonarsource.com/java/tag/unpredictable) - the code may work fine under current conditions, but may fail erratically if conditions change.
 * [unused](https://rules.sonarsource.com/java/tag/unused) - unused code, E.G. a private variable that is never used.

diff --git a/server/sonar-docs/src/pages/user-guide/security-reports.md b/server/sonar-docs/src/pages/user-guide/security-reports.md
index 999a496911a37f49b68282e521ffd93b9eb0f0e1..76dd0e171e529858ce572e54d02f9b5e4761817a 100644 (file)
--- a/server/sonar-docs/src/pages/user-guide/security-reports.md
+++ b/server/sonar-docs/src/pages/user-guide/security-reports.md
@@ -6,7 +6,10 @@ url: /user-guide/security-reports/
 *Security Reports are available starting in [Enterprise Edition](https://redirect.sonarsource.com/editions/enterprise.html).*
 
 ## What do Security Reports show?
-Security Reports quickly give you the big picture on your application's security, with breakdowns of just where you stand in regard to each of the [OWASP Top 10](https://www.owasp.org/index.php/Top_10-2017_Top_10), and [SANS Top 25](https://www.sans.org/top25-software-errors) categories, and [CWE](https://cwe.mitre.org/)-specific details.
+Security Reports quickly give you the big picture on your application's security, with breakdowns of just where you stand in regard to each of the [OWASP Top 10](https://www.owasp.org/index.php/Top_10-2017_Top_10), both [CWE Top 25 2019](https://cwe.mitre.org/top25/archive/2019/2019_cwe_top25.html) and [CWE Top 25 2020](https://cwe.mitre.org/top25/archive/2020/2020_cwe_top25.html), and [CWE](https://cwe.mitre.org/) -specific details.
+
+[[warning]]
+| The SANS Top 25 report is based on outdated statistics and should no longer be used. Instead, we recommend using the CWE Top 25 reports.
 
 The Security Reports rely on the rules activated in your Quality Profiles to raise security issues. If there are no rules corresponding to a given OWASP category activated in your Quality Profile, you will get no issues linked to that specific category and the rating displayed will be A. That won't mean you are safe for that category, but that you need to activate more rules (assuming some exist).
 

diff --git a/server/sonar-docs/src/pages/user-guide/security-rules.md b/server/sonar-docs/src/pages/user-guide/security-rules.md
index 50298a4dcf5a5596356ae2762e6368422c699eef..2d3fbb099323ee05f7bd8c1b13073a3a1b6c16ca 100644 (file)
--- a/server/sonar-docs/src/pages/user-guide/security-rules.md
+++ b/server/sonar-docs/src/pages/user-guide/security-rules.md
@@ -24,8 +24,8 @@ With Hotspots, we want to help developers understand information security risks,
 ## Which security-standards are covered?
 Our security rules are classified according to well-established security-standards such as:
 * [CWE](https://cwe.mitre.org/): SonarQube is a CWE compatible product [since 2015](https://cwe.mitre.org/compatible/questionnaires/33.html).
-* [SANS Top 25](https://www.sans.org/top25-software-errors/)
-* [OWASP Top 10 ](https://www.owasp.org/index.php/Top_10-2017_Top_10)
+* [OWASP Top 10 ](https://www.owasp.org/index.php/Top_10-2017_Top_10))
+* [SANS Top 25 - outdated](https://www.sans.org/top25-software-errors/)
 
 The standards to which a rule relates will be listed in the **See** section at the bottom of the rule description. More generally, you can search for a rule on [rules.sonarsource.com](https://rules.sonarsource.com/):
 * [Java-vulnerability-issue-type](https://rules.sonarsource.com/java/type/Vulnerability): all vulnerability rules for Java language.