How Does Sonar Cloud Handle Custom Nuget Packages and Jar Files?

I am an appsec engineer interested in using Sonar Cloud for static security scanning. What I need to understand is how Sonar Cloud handles “second party dependancies” (code written by us but not immediately available to source code analysis). If, say, a string comes into an API endpoint, passes through a nuget package that we built, and then goes into a SQL statement, how does Sonar cloud handle that? It can’t see all the code all at once because it either analyzes the API code or the nuget package code but not both at the same time. Does it treat the call to the nuget code as if it doesn’t exist and continue analyzing the code, or does it simply not analyze code it doesn’t have and stop when it sees the call to the nuget package?

Imagine a situation where a nuget package calls into the database, adds the result of a SQL query onto a string that it is passed, and then returns the final string. There could be, say, second-order SQL injection vulns involving nuget packages and we wouldn’t have any visability into them, right?

All static analysis solutions have blind spots of some sort and I want to understand blindspots in Sonar Cloud relating to second party code better.

Hi,

Welcome to the community!

SonarCloud analyzes the code it has. In SonarQube Enterprise edition, you would have the ability to configure those external calls as sources, sanitizers, validators, sinks and pass-throughs. Without that, your custom libraries are treated the same as any other library:

When you pass a tainted value to a library function outside the current function, SonarQube [and SonarCloud] automatically assumes it’s being passed to a sanitizer.

 
HTH,
Ann

Thank you for the reply. If I want every external library to be treated as a pass-through, what is the easiest way to configure this?

Hi,

To be clear, that configuration isn’t available on SonarCloud. You would need to switch to SonarQube Enterprise Edition($$).

 
HTH,
Ann