SONAR-12023 Remove "Not OWASP" CWE mapping, and move all unmapped CWEs to "Others" (SonarSource Security)

10 files changed, 24 insertions, 890 deletions

diff --git a/server/sonar-server/src/main/java/org/sonar/server/issue/index/IssueIndex.java b/server/sonar-server/src/main/java/org/sonar/server/issue/index/IssueIndex.java
index 7ec91b1dbbe..ea1182c26b8 100644
--- a/server/sonar-server/src/main/java/org/sonar/server/issue/index/IssueIndex.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/issue/index/IssueIndex.java
@@ -157,7 +157,7 @@ import static org.sonar.server.security.SecurityStandardHelper.SANS_TOP_25_INSEC
 import static org.sonar.server.security.SecurityStandardHelper.SANS_TOP_25_POROUS_DEFENSES;
 import static org.sonar.server.security.SecurityStandardHelper.SANS_TOP_25_RISKY_RESOURCE;
 import static org.sonar.server.security.SecurityStandardHelper.SONARSOURCE_CWE_MAPPING;
-import static org.sonar.server.security.SecurityStandardHelper.UNKNOWN_STANDARD;
+import static org.sonar.server.security.SecurityStandardHelper.SONARSOURCE_OTHER_CWES_CATEGORY;
 import static org.sonar.server.view.index.ViewIndexDefinition.TYPE_VIEW;
 import static org.sonarqube.ws.client.issue.IssuesWsParameters.DEPRECATED_PARAM_AUTHORS;
 import static org.sonarqube.ws.client.issue.IssuesWsParameters.FACET_MODE_EFFORT;
@@ -880,15 +880,15 @@ public class IssueIndex {
 
   public List<SecurityStandardCategoryStatistics> getSonarSourceReport(String projectUuid, boolean isViewOrApp, boolean includeCwe) {
     SearchRequestBuilder request = prepareNonClosedVulnerabilitiesAndHotspotSearch(projectUuid, isViewOrApp);
-    SONARSOURCE_CWE_MAPPING.keySet()
-      .forEach(
-        sonarsourceCategory -> request.addAggregation(createAggregation(FIELD_ISSUE_SONARSOURCE_SECURITY, sonarsourceCategory, includeCwe, Optional.of(SONARSOURCE_CWE_MAPPING))));
+    Stream.concat(SONARSOURCE_CWE_MAPPING.keySet().stream(), Stream.of(SONARSOURCE_OTHER_CWES_CATEGORY))
+      .forEach(sonarsourceCategory -> request.addAggregation(
+        createAggregation(FIELD_ISSUE_SONARSOURCE_SECURITY, sonarsourceCategory, includeCwe, Optional.of(SONARSOURCE_CWE_MAPPING))));
     return processSecurityReportSearchResults(request, includeCwe);
   }
 
   public List<SecurityStandardCategoryStatistics> getOwaspTop10Report(String projectUuid, boolean isViewOrApp, boolean includeCwe) {
     SearchRequestBuilder request = prepareNonClosedVulnerabilitiesAndHotspotSearch(projectUuid, isViewOrApp);
-    Stream.concat(IntStream.rangeClosed(1, 10).mapToObj(i -> "a" + i), Stream.of(UNKNOWN_STANDARD))
+    IntStream.rangeClosed(1, 10).mapToObj(i -> "a" + i)
       .forEach(owaspCategory -> request.addAggregation(createAggregation(FIELD_ISSUE_OWASP_TOP_10, owaspCategory, includeCwe, Optional.empty())));
     return processSecurityReportSearchResults(request, includeCwe);
   }
diff --git a/server/sonar-server/src/main/java/org/sonar/server/issue/ws/SearchAction.java b/server/sonar-server/src/main/java/org/sonar/server/issue/ws/SearchAction.java
index e160d7fe300..1144a6f83a0 100644
--- a/server/sonar-server/src/main/java/org/sonar/server/issue/ws/SearchAction.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/issue/ws/SearchAction.java
@@ -88,6 +88,7 @@ import static org.sonar.server.security.SecurityStandardHelper.SANS_TOP_25_INSEC
 import static org.sonar.server.security.SecurityStandardHelper.SANS_TOP_25_POROUS_DEFENSES;
 import static org.sonar.server.security.SecurityStandardHelper.SANS_TOP_25_RISKY_RESOURCE;
 import static org.sonar.server.security.SecurityStandardHelper.SONARSOURCE_CWE_MAPPING;
+import static org.sonar.server.security.SecurityStandardHelper.SONARSOURCE_OTHER_CWES_CATEGORY;
 import static org.sonar.server.security.SecurityStandardHelper.UNKNOWN_STANDARD;
 import static org.sonar.server.ws.KeyExamples.KEY_BRANCH_EXAMPLE_001;
 import static org.sonar.server.ws.KeyExamples.KEY_PROJECT_EXAMPLE_001;
@@ -260,9 +261,9 @@ public class SearchAction implements IssuesWsAction, Startable {
       .setPossibleValues((Object[]) RuleType.values())
       .setExampleValue(format("%s,%s", RuleType.CODE_SMELL, RuleType.BUG));
     action.createParam(PARAM_OWASP_TOP_10)
-      .setDescription("Comma-separated list of OWASP Top 10 lowercase categories. Use '" + UNKNOWN_STANDARD + "' to select issues not associated to any OWASP Top 10 category.")
+      .setDescription("Comma-separated list of OWASP Top 10 lowercase categories.")
       .setSince("7.3")
-      .setPossibleValues("a1", "a2", "a3", "a4", "a5", "a6", "a7", "a8", "a9", "a10", UNKNOWN_STANDARD);
+      .setPossibleValues("a1", "a2", "a3", "a4", "a5", "a6", "a7", "a8", "a9", "a10");
     action.createParam(PARAM_SANS_TOP_25)
       .setDescription("Comma-separated list of SANS Top 25 categories.")
       .setSince("7.3")
@@ -271,9 +272,10 @@ public class SearchAction implements IssuesWsAction, Startable {
       .setDescription("Comma-separated list of CWE identifiers. Use '" + UNKNOWN_STANDARD + "' to select issues not associated to any CWE.")
       .setExampleValue("12,125," + UNKNOWN_STANDARD);
     action.createParam(PARAM_SONARSOURCE_SECURITY)
-      .setDescription("Comma-separated list of SonarSource security categories.")
+      .setDescription("Comma-separated list of SonarSource security categories. Use '" + SONARSOURCE_OTHER_CWES_CATEGORY + "' to select issues not associated" +
+        " with any category")
       .setSince("7.8")
-      .setPossibleValues(SONARSOURCE_CWE_MAPPING.keySet());
+      .setPossibleValues(ImmutableList.builder().addAll(SONARSOURCE_CWE_MAPPING.keySet()).add(SONARSOURCE_OTHER_CWES_CATEGORY).build());
     action.createParam(DEPRECATED_PARAM_AUTHORS)
       .setDeprecatedSince("7.7")
       .setDescription("This parameter is deprecated, please use '%s' instead", PARAM_AUTHOR)
diff --git a/server/sonar-server/src/main/java/org/sonar/server/rule/ws/RuleWsSupport.java b/server/sonar-server/src/main/java/org/sonar/server/rule/ws/RuleWsSupport.java
index eb19feff8a5..551548eee01 100644
--- a/server/sonar-server/src/main/java/org/sonar/server/rule/ws/RuleWsSupport.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/rule/ws/RuleWsSupport.java
@@ -19,6 +19,7 @@
  */
 package org.sonar.server.rule.ws;
 
+import com.google.common.collect.ImmutableList;
 import java.util.List;
 import java.util.Map;
 import java.util.Objects;
@@ -35,7 +36,6 @@ import org.sonar.db.DbSession;
 import org.sonar.db.organization.OrganizationDto;
 import org.sonar.db.rule.RuleDto;
 import org.sonar.db.user.UserDto;
-import org.sonar.server.security.SecurityStandardHelper;
 import org.sonar.server.organization.DefaultOrganizationProvider;
 import org.sonar.server.qualityprofile.ActiveRuleInheritance;
 import org.sonar.server.rule.index.RuleIndexDefinition;
@@ -50,8 +50,6 @@ import static org.sonar.core.util.stream.MoreCollectors.toSet;
 import static org.sonar.core.util.stream.MoreCollectors.uniqueIndex;
 import static org.sonar.db.organization.OrganizationDto.Subscription.PAID;
 import static org.sonar.db.permission.OrganizationPermission.ADMINISTER_QUALITY_PROFILES;
-import static org.sonar.server.security.SecurityStandardHelper.SANS_TOP_25_CWE_MAPPING;
-import static org.sonar.server.security.SecurityStandardHelper.UNKNOWN_STANDARD;
 import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_ACTIVATION;
 import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_ACTIVE_SEVERITIES;
 import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_AVAILABLE_SINCE;
@@ -73,6 +71,10 @@ import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_STATUSES;
 import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_TAGS;
 import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_TEMPLATE_KEY;
 import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_TYPES;
+import static org.sonar.server.security.SecurityStandardHelper.SANS_TOP_25_CWE_MAPPING;
+import static org.sonar.server.security.SecurityStandardHelper.SONARSOURCE_CWE_MAPPING;
+import static org.sonar.server.security.SecurityStandardHelper.SONARSOURCE_OTHER_CWES_CATEGORY;
+import static org.sonar.server.security.SecurityStandardHelper.UNKNOWN_STANDARD;
 import static org.sonar.server.ws.WsUtils.checkFoundWithOptional;
 
 @ServerSide
@@ -143,10 +145,9 @@ public class RuleWsSupport {
       .setExampleValue("12,125," + UNKNOWN_STANDARD);
 
     action.createParam(PARAM_OWASP_TOP_10)
-      .setDescription("Comma-separated list of OWASP Top 10 lowercase categories. Use '" + UNKNOWN_STANDARD + "' to select rules not associated to any OWASP " +
-        "Top 10 category.")
+      .setDescription("Comma-separated list of OWASP Top 10 lowercase categories.")
       .setSince("7.3")
-      .setPossibleValues("a1", "a2", "a3", "a4", "a5", "a6", "a7", "a8", "a9", "a10", UNKNOWN_STANDARD);
+      .setPossibleValues("a1", "a2", "a3", "a4", "a5", "a6", "a7", "a8", "a9", "a10");
 
     action.createParam(PARAM_SANS_TOP_25)
       .setDescription("Comma-separated list of SANS Top 25 categories.")
@@ -155,9 +156,11 @@ public class RuleWsSupport {
 
     action
       .createParam(PARAM_SONARSOURCE_SECURITY)
-      .setDescription("Comma-separated list of SonarSource report categories.")
-      .setPossibleValues(SecurityStandardHelper.SONARSOURCE_CWE_MAPPING.keySet())
-      .setExampleValue("sql-injection,command-injection");
+      .setDescription("Comma-separated list of SonarSource security categories. Use '" + SONARSOURCE_OTHER_CWES_CATEGORY + "' to select rules not associated" +
+        " with any category")
+      .setSince("7.8")
+      .setPossibleValues(ImmutableList.builder().addAll(SONARSOURCE_CWE_MAPPING.keySet()).add(SONARSOURCE_OTHER_CWES_CATEGORY).build())
+      .setExampleValue("sql-injection,command-injection,others");
 
     action
       .createParam(PARAM_LANGUAGES)
diff --git a/server/sonar-server/src/test/java/org/sonar/server/issue/index/IssueIndexSecurityReportsTest.java b/server/sonar-server/src/test/java/org/sonar/server/issue/index/IssueIndexSecurityReportsTest.java
index d4d757b87e0..577c835d490 100644
--- a/server/sonar-server/src/test/java/org/sonar/server/issue/index/IssueIndexSecurityReportsTest.java
+++ b/server/sonar-server/src/test/java/org/sonar/server/issue/index/IssueIndexSecurityReportsTest.java
@@ -218,8 +218,7 @@ public class IssueIndexSecurityReportsTest {
         tuple("a7", 0L, OptionalInt.empty(), 0L, 0L, 0L),
         tuple("a8", 0L, OptionalInt.empty(), 0L, 0L, 1L /* reviewedHotspot */),
         tuple("a9", 0L, OptionalInt.empty(), 0L, 0L, 0L),
-        tuple("a10", 0L, OptionalInt.empty(), 0L, 0L, 0L),
-        tuple("unknown", 1L /* notowaspvul */, OptionalInt.of(4) /* CRITICAL = D */, 1L /* notowasphotspot */, 0L, 0L));
+        tuple("a10", 0L, OptionalInt.empty(), 0L, 0L, 0L));
     return owaspTop10Report;
   }
 
diff --git a/server/sonar-server/src/test/resources/com/sonar/governance/securityreport/ws/ShowActionTest/empty.json b/server/sonar-server/src/test/resources/com/sonar/governance/securityreport/ws/ShowActionTest/empty.json
deleted file mode 100644
index efb9191e511..00000000000
--- a/server/sonar-server/src/test/resources/com/sonar/governance/securityreport/ws/ShowActionTest/empty.json
+++ /dev/null
@@ -1,114 +0,0 @@
-{
-  "categories": [
-    {
-      "category": "a1",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": [],
-      "activeRules": 1,
-      "totalRules": 1
-    },
-    {
-      "category": "a2",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": [],
-      "activeRules": 1,
-      "totalRules": 1
-    },
-    {
-      "category": "a3",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": [],
-      "activeRules": 0,
-      "totalRules": 1
-    },
-    {
-      "category": "a4",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": [],
-      "activeRules": 0,
-      "totalRules": 0
-    },
-    {
-      "category": "a5",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": [],
-      "activeRules": 0,
-      "totalRules": 0
-    },
-    {
-      "category": "a6",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": [],
-      "activeRules": 0,
-      "totalRules": 0
-    },
-    {
-      "category": "a7",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": [],
-      "activeRules": 0,
-      "totalRules": 0
-    },
-    {
-      "category": "a8",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": [],
-      "activeRules": 0,
-      "totalRules": 0
-    },
-    {
-      "category": "a9",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": [],
-      "activeRules": 0,
-      "totalRules": 0
-    },
-    {
-      "category": "a10",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": [],
-      "activeRules": 0,
-      "totalRules": 0
-    },
-    {
-      "category": "unknown",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": [],
-      "activeRules": 1,
-      "totalRules": 2
-    }
-  ]
-}
diff --git a/server/sonar-server/src/test/resources/com/sonar/governance/securityreport/ws/ShowActionTest/owaspNoCwe.json b/server/sonar-server/src/test/resources/com/sonar/governance/securityreport/ws/ShowActionTest/owaspNoCwe.json
deleted file mode 100644
index 60675e21b7b..00000000000
--- a/server/sonar-server/src/test/resources/com/sonar/governance/securityreport/ws/ShowActionTest/owaspNoCwe.json
+++ /dev/null
@@ -1,115 +0,0 @@
-{
-  "categories": [
-    {
-      "category": "a1",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": [],
-      "activeRules": 1,
-      "totalRules": 1
-    },
-    {
-      "category": "a2",
-      "vulnerabilities": 1,
-      "vulnerabilityRating": 3,
-      "inReviewSecurityHotspots": 1,
-      "toReviewSecurityHotspots": 1,
-      "reviewedSecurityHotspots": 1,
-      "distribution": [],
-      "activeRules": 1,
-      "totalRules": 1
-    },
-    {
-      "category": "a3",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": [],
-      "activeRules": 0,
-      "totalRules": 1
-    },
-    {
-      "category": "a4",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": [],
-      "activeRules": 0,
-      "totalRules": 0
-    },
-    {
-      "category": "a5",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": [],
-      "activeRules": 0,
-      "totalRules": 0
-    },
-    {
-      "category": "a6",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": [],
-      "activeRules": 0,
-      "totalRules": 0
-    },
-    {
-      "category": "a7",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": [],
-      "activeRules": 0,
-      "totalRules": 0
-    },
-    {
-      "category": "a8",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": [],
-      "activeRules": 0,
-      "totalRules": 0
-    },
-    {
-      "category": "a9",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": [],
-      "activeRules": 0,
-      "totalRules": 0
-    },
-    {
-      "category": "a10",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": [],
-      "activeRules": 0,
-      "totalRules": 0
-    },
-    {
-      "category": "unknown",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": [],
-      "activeRules": 1,
-      "totalRules": 2
-    }
-  ]
-}
diff --git a/server/sonar-server/src/test/resources/com/sonar/governance/securityreport/ws/ShowActionTest/sansWithCwe.json b/server/sonar-server/src/test/resources/com/sonar/governance/securityreport/ws/ShowActionTest/sansWithCwe.json
deleted file mode 100644
index ce510484551..00000000000
--- a/server/sonar-server/src/test/resources/com/sonar/governance/securityreport/ws/ShowActionTest/sansWithCwe.json
+++ /dev/null
@@ -1,46 +0,0 @@
-{
-  "categories": [
-    {
-      "category": "porous-defenses",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": [],
-      "activeRules": 0,
-      "totalRules": 1
-    },
-    {
-      "category": "risky-resource",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": [],
-      "activeRules": 1,
-      "totalRules": 1
-    },
-    {
-      "category": "insecure-interaction",
-      "vulnerabilities": 1,
-      "vulnerabilityRating": 3,
-      "inReviewSecurityHotspots": 1,
-      "toReviewSecurityHotspots": 1,
-      "reviewedSecurityHotspots": 0,
-      "distribution": [
-        {
-          "cwe": "89",
-          "vulnerabilities": 1,
-          "vulnerabilityRating": 3,
-          "inReviewSecurityHotspots": 1,
-          "toReviewSecurityHotspots": 1,
-          "reviewedSecurityHotspots": 0,
-          "activeRules": 1,
-          "totalRules": 1
-        }
-      ],
-      "activeRules": 2,
-      "totalRules": 2
-    }
-  ]
-}
diff --git a/server/sonar-server/src/test/resources/com/sonar/governance/securityreport/ws/ShowActionTest/sonarsourceSecurityNoCwe.json b/server/sonar-server/src/test/resources/com/sonar/governance/securityreport/ws/ShowActionTest/sonarsourceSecurityNoCwe.json
deleted file mode 100644
index c00feb5f200..00000000000
--- a/server/sonar-server/src/test/resources/com/sonar/governance/securityreport/ws/ShowActionTest/sonarsourceSecurityNoCwe.json
+++ /dev/null
@@ -1,205 +0,0 @@
-{
-  "categories": [
-    {
-      "category": "ldap-injection",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": [],
-      "activeRules": 0,
-      "totalRules": 0
-    },
-    {
-      "category": "object-injection",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": [],
-      "activeRules": 0,
-      "totalRules": 0
-    },
-    {
-      "category": "ssrf",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": [],
-      "activeRules": 0,
-      "totalRules": 0
-    },
-    {
-      "category": "insecure-conf",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": [],
-      "activeRules": 0,
-      "totalRules": 0
-    },
-    {
-      "category": "xxe",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": [],
-      "activeRules": 0,
-      "totalRules": 0
-    },
-    {
-      "category": "auth",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": [],
-      "activeRules": 0,
-      "totalRules": 0
-    },
-    {
-      "category": "xpath-injection",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": [],
-      "activeRules": 0,
-      "totalRules": 0
-    },
-    {
-      "category": "weak-cryptography",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": [],
-      "activeRules": 0,
-      "totalRules": 0
-    },
-    {
-      "category": "dos",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": [],
-      "activeRules": 0,
-      "totalRules": 0
-    },
-    {
-      "category": "open-redirect",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": [],
-      "activeRules": 0,
-      "totalRules": 0
-    },
-    {
-      "category": "log-injection",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": [],
-      "activeRules": 0,
-      "totalRules": 0
-    },
-    {
-      "category": "csrf",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": [],
-      "activeRules": 0,
-      "totalRules": 0
-    },
-    {
-      "category": "sql-injection",
-      "vulnerabilities": 1,
-      "vulnerabilityRating": 3,
-      "inReviewSecurityHotspots": 1,
-      "toReviewSecurityHotspots": 1,
-      "reviewedSecurityHotspots": 1,
-      "distribution": [],
-      "activeRules": 1,
-      "totalRules": 1
-    },
-    {
-      "category": "file-manipulation",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": [],
-      "activeRules": 0,
-      "totalRules": 0
-    },
-    {
-      "category": "expression-lang-injection",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": [],
-      "activeRules": 0,
-      "totalRules": 0
-    },
-    {
-      "category": "rce",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": [],
-      "activeRules": 0,
-      "totalRules": 0
-    },
-    {
-      "category": "xss",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": [],
-      "activeRules": 0,
-      "totalRules": 0
-    },
-    {
-      "category": "path-traversal-injection",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": [],
-      "activeRules": 1,
-      "totalRules": 1
-    },
-    {
-      "category": "command-injection",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": [],
-      "activeRules": 1,
-      "totalRules": 1
-    },
-    {
-      "category": "http-response-splitting",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": [],
-      "activeRules": 0,
-      "totalRules": 0
-    }
-  ]
-}
diff --git a/server/sonar-server/src/test/resources/com/sonar/governance/securityreport/ws/ShowActionTest/sonarsourceSecurityOnApplication.json b/server/sonar-server/src/test/resources/com/sonar/governance/securityreport/ws/ShowActionTest/sonarsourceSecurityOnApplication.json
deleted file mode 100644
index 93df7186016..00000000000
--- a/server/sonar-server/src/test/resources/com/sonar/governance/securityreport/ws/ShowActionTest/sonarsourceSecurityOnApplication.json
+++ /dev/null
@@ -1,174 +0,0 @@
-{
-  "categories": [
-    {
-      "category": "ldap-injection",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": []
-    },
-    {
-      "category": "object-injection",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": []
-    },
-    {
-      "category": "ssrf",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": []
-    },
-    {
-      "category": "insecure-conf",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": []
-    },
-    {
-      "category": "xxe",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": []
-    },
-    {
-      "category": "auth",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": []
-    },
-    {
-      "category": "xpath-injection",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": []
-    },
-    {
-      "category": "weak-cryptography",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": []
-    },
-    {
-      "category": "dos",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": []
-    },
-    {
-      "category": "open-redirect",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": []
-    },
-    {
-      "category": "log-injection",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": []
-    },
-    {
-      "category": "csrf",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": []
-    },
-    {
-      "category": "sql-injection",
-      "vulnerabilities": 1,
-      "vulnerabilityRating": 3,
-      "inReviewSecurityHotspots": 1,
-      "toReviewSecurityHotspots": 1,
-      "reviewedSecurityHotspots": 1,
-      "distribution": [
-        {
-          "cwe": "89",
-          "vulnerabilities": 1,
-          "vulnerabilityRating": 3,
-          "inReviewSecurityHotspots": 1,
-          "toReviewSecurityHotspots": 1,
-          "reviewedSecurityHotspots": 1
-        }
-      ]
-    },
-    {
-      "category": "file-manipulation",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": []
-    },
-    {
-      "category": "expression-lang-injection",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": []
-    },
-    {
-      "category": "rce",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": []
-    },
-    {
-      "category": "xss",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": []
-    },
-    {
-      "category": "path-traversal-injection",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": []
-    },
-    {
-      "category": "command-injection",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": []
-    },
-    {
-      "category": "http-response-splitting",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": []
-    }
-  ]
-}
diff --git a/server/sonar-server/src/test/resources/com/sonar/governance/securityreport/ws/ShowActionTest/sonarsourceSecurityWithCwe.json b/server/sonar-server/src/test/resources/com/sonar/governance/securityreport/ws/ShowActionTest/sonarsourceSecurityWithCwe.json
deleted file mode 100644
index c9e6c748036..00000000000
--- a/server/sonar-server/src/test/resources/com/sonar/governance/securityreport/ws/ShowActionTest/sonarsourceSecurityWithCwe.json
+++ /dev/null
@@ -1,216 +0,0 @@
-{
-  "categories": [
-    {
-      "category": "ldap-injection",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": [],
-      "activeRules": 0,
-      "totalRules": 0
-    },
-    {
-      "category": "object-injection",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": [],
-      "activeRules": 0,
-      "totalRules": 0
-    },
-    {
-      "category": "ssrf",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": [],
-      "activeRules": 0,
-      "totalRules": 0
-    },
-    {
-      "category": "insecure-conf",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": [],
-      "activeRules": 0,
-      "totalRules": 0
-    },
-    {
-      "category": "xxe",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": [],
-      "activeRules": 0,
-      "totalRules": 0
-    },
-    {
-      "category": "auth",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": [],
-      "activeRules": 0,
-      "totalRules": 0
-    },
-    {
-      "category": "xpath-injection",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": [],
-      "activeRules": 0,
-      "totalRules": 0
-    },
-    {
-      "category": "weak-cryptography",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": [],
-      "activeRules": 0,
-      "totalRules": 0
-    },
-    {
-      "category": "dos",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": [],
-      "activeRules": 0,
-      "totalRules": 0
-    },
-    {
-      "category": "open-redirect",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": [],
-      "activeRules": 0,
-      "totalRules": 0
-    },
-    {
-      "category": "log-injection",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": [],
-      "activeRules": 0,
-      "totalRules": 0
-    },
-    {
-      "category": "csrf",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": [],
-      "activeRules": 0,
-      "totalRules": 0
-    },
-    {
-      "category": "sql-injection",
-      "vulnerabilities": 1,
-      "vulnerabilityRating": 3,
-      "inReviewSecurityHotspots": 1,
-      "toReviewSecurityHotspots": 1,
-      "reviewedSecurityHotspots": 1,
-      "distribution": [
-        {
-          "cwe": "89",
-          "vulnerabilities": 1,
-          "vulnerabilityRating": 3,
-          "inReviewSecurityHotspots": 1,
-          "toReviewSecurityHotspots": 1,
-          "reviewedSecurityHotspots": 1,
-          "activeRules": 1,
-          "totalRules": 1
-        }
-      ],
-      "activeRules": 1,
-      "totalRules": 1
-    },
-    {
-      "category": "file-manipulation",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": [],
-      "activeRules": 0,
-      "totalRules": 0
-    },
-    {
-      "category": "expression-lang-injection",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": [],
-      "activeRules": 0,
-      "totalRules": 0
-    },
-    {
-      "category": "rce",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": [],
-      "activeRules": 0,
-      "totalRules": 0
-    },
-    {
-      "category": "xss",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": [],
-      "activeRules": 0,
-      "totalRules": 0
-    },
-    {
-      "category": "path-traversal-injection",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": [],
-      "activeRules": 1,
-      "totalRules": 1
-    },
-    {
-      "category": "command-injection",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": [],
-      "activeRules": 1,
-      "totalRules": 1
-    },
-    {
-      "category": "http-response-splitting",
-      "vulnerabilities": 0,
-      "inReviewSecurityHotspots": 0,
-      "toReviewSecurityHotspots": 0,
-      "reviewedSecurityHotspots": 0,
-      "distribution": [],
-      "activeRules": 0,
-      "totalRules": 0
-    }
-  ]
-}