False negatives SonarCloud in comparison with CodeQL

Hi there, for our development teams we are currently looking into CodeQL and SonarCloud. As a test we are scanning the same repository with both tools. We have scanned the following repository: GitHub - bkimminich/juice-shop: OWASP Juice Shop: Probably the most modern and sophisticated insecure web application

This is a repository that contains a lot of different security findings like SQL injection and XSS. To our suprise SonarCloud didn’t find any of the SQL injections and XSS. We have scanned multiple times but no result, it did find some hotspots (like hardcoded creds) but not these instances. Could you maybe reproduce this with the above repo? Maybe we have configured something wrong.


We recently worked to improve our JS SAST offering and we are about to deploy (in a couple of minutes, really :-)) a new version on SonarCloud that will find almost all vulnerabilities of JuiceShop.

I’ll ping you here once it’s done so you can re-scan and see what SonarCloud can detect on JuiceShop.



@eyboerie As promised, our JS/TS SAST engine was updated today and here what it can detect on JuiceShop: https://sonarcloud.io/project/issues?id=agigleux_juice-shop&resolved=false&types=VULNERABILITY


Thanks for your follow up Alexandre! And indeed it was able to find most of the SQL injections and other findings as well. However it still doesnt spot some obvious Cross Site Scripting, but I will look further into that.