How comprehensive is Developer Edition 14-day trial and what should I expect?

Marshall9600 · November 19, 2024, 2:12am

I’m currently using SonarQube Server - Developer Edition (version 10.7, Deployed: zip) with a 14-day trial.

I have a Laravel (PHP) project and am currently testing it on the SonarQube Server.

I would like to know how comprehensive the trial edition is, I have attempted to test a few vulnerabilities in my project such as XSS and CSRF.

In a < form >, here are the things I have added for testing:

I removed “csrf”
Added some random stuff like “random” with an @
Added an input < input value=“{!! $malware !!}” >
Wrong input spelling < inputtttttttttttttttttttttttttt value=“{!! $malware !!}” >

It seems that after adding those, there’s 0 code quality and security detection. I hope for some advice on this.

Also, I would like to know the things I should test out to make use of these 14 days, thanks in advance.

Regards,
Marshall

ganncamp · November 20, 2024, 3:04pm

Hi,

Welcome to the community!

The trial license works just like a normal license, it’s just very short.

Can you provide rule IDs and code samples for your false negatives? (Ideally in a new thread per FN.)

Thx,
Ann

Marshall9600 · November 21, 2024, 1:52am

Hi Ann, the example below is the script for your perusal.

<form action="{{ route('ticket.submit') }}" method="POST">
    {{-- @csrf --}}
    {{-- @csrf --}}
    {{-- @csrf --}}
    {{-- @csrf --}}
    {{-- @csrf --}}
    {{-- @csrf --}}
    {{-- @csrf --}}
    {{-- @csrf --}}
    @random
    @random
    @random
    @random
    @random
    @random
    @random
    @random
    @random
    @random
    @php
        $malware = "<script>alert('XSS Vulnerability!')</script>";
    @endphp
    <input value="{!! $malware !!}">
    <inputttttttttttttttttttttttt name="name" value="{!! $malware !!}">
    <div class="uk-margin">
        <div class="uk-form-horizontal custom-modal-border">
            <div class="uk-margin">
                <span class="uk-form-label">Company<span class="uk-text-danger">*</span></span>
                <div class="uk-form-controls">
                    <select name="company_name" placeholder="REQUIRED" required>
                        <option value="">REQUIRED</option>
                        @if (!empty($CompanyModelCreates) && !count($CompanyModelCreates) !== 0)
                            @foreach ($CompanyModelCreates as $CompanyModelCreate)
                                <option value="{{ $CompanyModelCreate->_id }}">@if(!empty($CompanyModelCreate->clicom_name)) {{ $CompanyModelCreate->clicom_name }} @endif</option>
                            @endforeach
                        @endif
                    </select>
                </div>
            </div>
            <div class="uk-margin">
                <span class="uk-form-label">Ticket Subject<span class="uk-text-danger">*</span></span>
                <div class="uk-form-controls">
                    <input class="uk-input" name="subject_name" type="text" value="" placeholder="REQUIRED" required>
                </div>
            </div>
        </div>
    </div>
    <div class="uk-margin">
        <button class="uk-button uk-button-default custom-icon-green" type="submit">Submit</button>
    </div>
</form>

For the Rule IDs, may I know what that is and where I can find it?

Thank you for your time.

ganncamp · November 21, 2024, 4:22pm

Hi,

What rule were you expecting to raise an issue on this?

Ann

Marshall9600 · November 22, 2024, 2:14am

Hi Ann and thank you for your time again.

I’m still new to this Rule, I believe the Rule ID from SonarQube is ‘Web:S5247’, related to the XSS attack.

@php
     $malware = "<script>alert('XSS Vulnerability!')</script>";
@endphp
<input value="{!! $malware !!}">

The above example is an XSS attack I made.

ganncamp · November 22, 2024, 12:49pm

Hi,

Thanks for the rule ID. I’ve flagged this for the team.

Ann

Loris · November 22, 2024, 3:54pm

Hello @Marshall9600, welcome to the community

I have the feeling I understand what the problem is here. Next week, I will provide a good explanation of why it does not work as expected. Thanks for the post!

Cheers,

Loris

Loris · November 26, 2024, 9:56am

Hello @Marshall9600,

I will only answer on the security questions because this is my expertise at Sonar.

(1) The first thing you need to know is that we make sure our security detection raises as few false positives as possible. For this reason, we detect injection issues like XSS only when the code provides a possibility to the user of your web app to inject data.

In your example, $malware is not injected, it’s a hardcoded value, so the analyzer does not detect it as a source of attacks.

(2) This means that if you want to test for Laravel XSS, you need to do something like this:

Here, data is retrieved from a user of the webapp and then directly set as a response. This is an XSS.

(3) Your example uses Laravel’s templating engine, Blade. In 2021, we decided not to support Blade because it was not the highest-priority framework at the time. We have since started supporting multiple other templating frameworks, just not this one.

Please tell us if this would prevent you from using the product, it would be an important insight for us and a reason to support it

Cheers!

Loris

Marshall9600 · December 4, 2024, 9:17am

$source = $_GET['input'];
$response = new Response($source);

I want to test the above script, but my trial has expired.

Furthermore, you mentioned the Laravel Blade, SonaQube no longer supports it. Is there a way or any alternative to ensure the Blade is secured?

Hope to hear from you soon. Thanks

Loris · December 4, 2024, 9:42am

Hi @Marshall9600,

If you want to test this kind of vulnerability without directly paying, you can use https://sonarcloud.io/.

You just need to create a public codebase and try analyzing it (If you want to add private code it needs the paid version)

About Laravel Blade, I tried googling it for alternatives or even competitors and I found nothing. What I suggest is that if you find a linter or some tooling that allows it, you can plug it into SonarQube to aggregate the results in only one location.

In any case, we have great security support for Laravel controllers written in pure PHP I can assure you.

Cheers

Marshall9600 · December 5, 2024, 2:43am

Hi @Loris and @ganncamp,

Thanks for the prompt response, I will try it on SonarCloud.

Many thanks,
Marshall

Marshall9600 · December 5, 2024, 5:44am

Hi @Loris ,

I’m just curious: How many templating engine types does SonarQube support? Is there a list of templating engines I can view?

I noticed that the Laravel I am using does support other templating engines such as Twig or Mustache.

Hope to hear from you soon, thanks

Loris · December 5, 2024, 5:10pm

Hi Marshall,

We have prioritized other languages these last few years, so we support templating engines mostly for other languages, such as Thymeleaf or Jinja. This is generally because we react to users’ needs.

I suggest going to this page and giving your input to our product management team about your need for PHP templating support: https://portal.productboard.com/sonarsource/3-sonarqube-server/tabs/5-under-consideration/submit-idea

If you do not have time to write your use case, please tell me and I will adapt your contribution. While we may not cover every templating engine available yet, we strive to expand our support to meet our users’ needs, so your input will be very valuable.

Plus, we are going to work more on PHP security for a bit in 2025, and if we gain traction from the PHP community toward PHP’s templating engines, it will be deemed legitimate, and we will definitely work on it

Cheers,
Loris

Marshall9600 · December 6, 2024, 1:43am

Hi @Loris,

Thanks, I have submitted my concern and need to the Product Management Team about the PHP templating support.

Also, I had a quick browse on ChatGPT just now, it mentions a few Templating Engines SonarQube supports:

Thymeleaf (used with Java and Spring)
Velocity (used with Java)
Freemarker (used with Java)
Jinja2 (used with Python)
Smarty (used with PHP)
Twig (used with PHP and Symfony)
Handlebars (used with JavaScript/Node.js)

Cheers,
Marshall

Marshall9600 · December 9, 2024, 4:15am

Hi @Loris,

I would like to know if SonarQube supports Templating Engines such as Twig, Mustache, or Smarty.

I would also like to know a list of Templating Engines SonarQube supports.

Hope to hear from you soon, thanks.

Regards,
Marshall

Loris · December 9, 2024, 9:00am

Hello Marshall,

Twig , Mustache , or Smarty are not supported.

Technically, SonarQube will do an analysis with them in it, so it will “support” them, but no detection rule supports them.

I cannot give a comprehensive list of the detection rules supporting all templating frameworks. This information is too scattered across our thousands of rules

Marshall9600 · December 9, 2024, 11:01am

Hi @Loris,

Thank you so much for your time, I shall look into the alternative for the blade if there’s any.

Cheers,
Marshall

Loris · December 9, 2024, 4:28pm

My pleasure, Marshall. Have a nice day!

system · December 16, 2024, 4:29pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
SonarQube Developer License Trial SonarQube Server / Community Build license	2	590	December 1, 2020
Developer Edition Trial License Request SonarQube Server / Community Build license	1	478	January 5, 2022
SonarQube Developer Version Trial License SonarQube Server / Community Build sonarqube	1	1127	July 16, 2019
Developer Trial License SonarQube Server / Community Build sonarqube	2	697	March 11, 2021
Trial License is not being provided by sonar qube community SonarQube Server / Community Build license	3	1079	July 18, 2019

How comprehensive is Developer Edition 14-day trial and what should I expect?

Related topics