Does Sonarqube catch OWASP Top 10 vulnerabilities for NodeJS / JavaScript

Hello, I’m using Sonarqube community edition version without any additional plugins or tools. I need to perform static code analysis on NodeJS / Javascript codes. Is this version of sonarqube enough to capture OWASP Top 10 vulnerabilities? Should I install anything on top of the vanilla install? Also, will I get more vulnerability rules if I upgrade my license to Developer?


Hey there.

The Developer Edition of SonarQube provides support for advanced vulnerability detection for JavaScript that is not available in Community Edition. You can find that list of rules here.

Hi @Colin thanks for the response. I am not able to identify any keyword related to the Developer edition with the link you provided. Is the difference simply the Injection tag? Is there a place I can view the complete set of rules offered by Developer but not Community?

Hey there.

That is the complete set of rules (rules tagged with injection) offered by Developer but not Community.

Awesome! Thanks @Colin !

As a side question, @Colin, what proportion of the JavaScript targets the frontend code and what proportion targets the backend (NodeJS) codes?