Introduced vulnerable package and vulnerability not found within scan results

  • ALM used: Bitbucket Cloud
  • CI system used: Circle CI
  • Languages of the repository: Python
  • Error observed: I am tried to introduce a vulnerable package within the requirements.txt file and I tried to introduce a vulnerability within the tests folder of my repo and nothing showed up in the final results of my scan. For the vulnerable package, I changed a currently used package to an older version that has a CVE attached to it. For the vulnerability, I see within the Code tab that the scan scope covered what I had written. I still do not see any new Issues that should have been introduced. Are there requirements on if packages need to be called, how they are used, and what the scan covers (my scan does not currently cover the requirements.txt file) that need to be met before a vulnerability shows up in my Branch Summary? Also are there requirements on if code has to be run, or how its run to see the introduced vulnerability?
1 Like


Welcome to the community!

Did you write vulnerable code, or did you simply switch to using a vulnerable dependency?

To be clear, SonarCloud does static analysis of source code, or SAST in a security context. We don’t do SCA. So simply having a vulnerable dependency won’t raise any issues.


I did both. I lowered a dependency version first and then I tried run a vulnerable python script. Also that makes sense, I understand the dependency. For some reason the vulnerable code doesn’t show up, but it may be an issue with my code. I also have one other issue, for some reason the scan does not scan extra files that are added to the repo that are not and within the tests or src folders.


We try to keep it to one topic per thread. Otherwise it can get messy, fast. So let’s focus here on the vulnerability question & please create a new thread for the analysis question.

So you introduced a vulnerability in your code by having it execute a vulnerable function from the dependency? Does that mean the function is only vulnerable in certain versions of the dependency?

Can you provide a compact reproducer demonstrating what should have been recognized as a vulnerability in your code but wasn’t?


Hello Ann,

I think the vulnerability should be caught regardless dependencies. I put the below vulnerability into the code:

import subprocess
import pytest

def run_command(command):
    user_input = input("Enter a command to run: ")
    output = subprocess.check_output(user_input)
    return output>

Hi Chay,

Nice to meet you and welcome to the community!

Small clarification question: What product do you use? Is it SonarQube Community Edition? (Some features are not available in this edition)

Then, to your questions:

First, for injections, our analyzers will only raise an issue on code that is considered realistic and exploitable by a remote attacker because we want to limit false positives and reduce noise.
In your example, it looks like run_command is not actually used. For injections such as the one you want to test, we currently only target web attack vectors, so to test the solution, you need to create an API, with Flask or Django for example.

Second, about subprocess.check_output, we are currently in the process of reworking how our analyzers handle that function with a string as a parameter because its impact is different from other command functions, such as os.system.
check_output only accepts a command name when used with a string, so its exploitability is limited to denials of service and chaining of this vulnerability with other vulnerabilities where you have the possibility to upload a file on the server. On the contrary, os.system is more easily exploitable, and a high impact can be reached more easily than with check_output because you can feed it a command with arguments.
So, we are currently not raising anything (yet), in order to tweak our analyzers to correctly handle this and make sure there is no confusion for the users. We want to make sure what we detect is coherent, relevant, and explain as well as we can what the problem is.

So, to sum this up, to test for “regular” (meaning with full exploitability) command injection vulnerabilities, here is an example using Flask and os.system:

from flask import Flask, request
import os

app = Flask(__name__)

def cmd():
    cmd = request.args.get("cmd", "whoami")
    status = os.system(cmd)
    return str(status == 0)

if __name__ == '__main__':

The vulnerability written in this code is impactful as it can lead to intrusions on the underlying system.



I am using SonarCloud and this worked! Thank you for the help!

1 Like

Glad I could help :smiling_face:

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.