HTTP request redirections vulnerability does not detect with SonarLint plugin and SonarQube server

Once we performed the static code analysis with SonarQube and SonarLint eclipse plugin, non of them could detect a vulnerability in the below code segment . But this has defined as a vulnarability under the rules of sonarsource web site.

protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
  String location = req.getParameter("url");
  resp.sendRedirect(location); // Noncompliant
}

Reference https://rules.sonarsource.com/java/RSPEC-5146

Hello thank you for your question.

This rule, along with other security-related rules, is available with SonarQube Developer Edition and above. Which edition are you using?

To complete @JBL_SonarSource answer, it is expected that SonarLint doesn’t report those rules. See the SonarLint FAQ for details.

Thanks for the reply. I’m using the SonarQube Community edition. Is there any possibility that I can enable this rule in SonarLint? Is there any specific SonarLint edition?

Unfortunately, not yet.

The taint analysis engine that powers these rules is currently too computationally intensive for the near-real-time developer experience that we want to provide with SonarLint.

We are definitely looking into ways to bring these powerful rules in the IDE in the next few months, and according to our current plans, this will rely on connected mode with either SonarCloud or a commercial edition of SonarQube.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.