Cross Site Scripting in SonarQube

php
security

(Ahmed Ibrahim Mohamed Ibrahim) #1

I think sonarlint doesn’t support many cases of corss site scripting detection like the below cases.

echo $_GET['name'];
echo $_POST['name'];

I’m using sonarQube to analyse my project and I already put the above lines in the code but sonar didn’t detect these issues which is strange for me.

It detects only eval($_GET['name']);


(Janos Gyerik) #2

At the moment we don’t have a rule that would catch such cross site scripting suspects. We’re actively working on this, so stay tuned for upcoming releases later this year. Note however that such rule might be limited to SonarQube/SonarCloud in the short-mid term, and not be available in SonarLint.


(Ahmed Ibrahim Mohamed Ibrahim) #3

I’m doing this and working on it for MSc so could you give me an access to API or source code? and I will share results with you if you acknowledge my name.


(Janos Gyerik) #4

Perhaps you’re looking for our Extension Guide.

Our open-source code are available on GitHub.


(Andrew) #5

Hi Janos, I was just wondering if this made it’s way into sonarqube?


(Alexandre Gigleux) #6

Hello Andrew,

We are working to provided XSS detection capabilities for Java, C# and PHP. This will be available in SonarCloud and with the SonarQube Developer Edition.

FYI: related specification ticket: https://jira.sonarsource.com/browse/MMF-1569

Regards