Hi there, for our development teams we are currently looking into CodeQL and SonarCloud. As a test we are scanning the same repository with both tools. We have scanned the following repository: GitHub - bkimminich/juice-shop: OWASP Juice Shop: Probably the most modern and sophisticated insecure web application
This is a repository that contains a lot of different security findings like SQL injection and XSS. To our suprise SonarCloud didn’t find any of the SQL injections and XSS. We have scanned multiple times but no result, it did find some hotspots (like hardcoded creds) but not these instances. Could you maybe reproduce this with the above repo? Maybe we have configured something wrong.