SonarQube 9.1.0
Let’s say we have a code flow which triggers the XSS-like vulnerability. The value enters the code and then passed to some function, which in fact act as a filtering function (returns a unique ID from some db or whatever). We know that and we want to teach the scanner to not raise an issue if the flow passes this function. How can we do that?
Hi,
You’re talking about customizing the taint analysis. That’s available starting in Enterprise Edition($$).
HTH,
Ann
Can we leverage the existing taint analysis engine and write our plugin for PHP scanning? In this case it will be a new plugin, but just focus on defining proper sources, sinks etc. rather than re-inventing the taint engine.
Hi,
No, that’s not available.
Ann