Must-share information (formatted with Markdown):
- which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
SonarQube 7.9.3 (build 33349),
- what are you trying to achieve
I am new to SonarQube and am interested whether or how SonarQube helps to spot missing input validation in web applications, in particular when using C#/.NET.
First, I do know that SonarQube can detect some of the OWASP Top 10 vulnerabilities like XEE or some injections. But imho this is just the tip of the iceberg when looking at missing or incomplete input validations. Extending on the XEE example, SonarQube apparently validates that XmlResolver is initialized to null, but in fact I´d argue one is supposed to provide a non-null XmlResolver that either resolves external entities to an internal resource as needed, or throws an exception to indicate an unexpected external entity was referenced in the input.
Does SonarQube detect, that no validation (calls to XMLDocument.Validate) is taking place at all? that no Schemas are added prior to validation?
On What's New in latest releases | SonarQube you write “Tracking Untrusted Data from More C# Frameworks” and mention WCF. Can you please elaborate what exactly you are detecting? I´d be looking for tests that check whether How to: Perform Message Validation with Schema Validation in WCF | Microsoft Docs (or equivalent) was adhered to. In fact the tutorial looks so complicated to me - also a newbee on WCF - that I am wondering whether there is a better way to implement and enforce it.
- what have you tried so far to achieve this
I looked around in existing code and reports, but didn´t find any rules violated even though I was hoping for that.