Is Stored XSS not supported for PHP

I’m using SonarQube Developer Edition Version 7.7 (build 23042)

It appears Stored or Persistent XSS vulnerabilities are not being flagged. Checkmarx will flag, for example, using a variable from a fetch_assoc call on a database retrieve, but SonarQube does not.


This is correct, SonarQube DE+ doesn’t detect stored XSS. You have the possibility with SQ EE to customize the sources, sanitizers and sinks if you want to declare retrieval of data from the database as “sources” of the security engine:

That said, don’t you think blindly declaring fetch_assoc as a source of potential stored XSS will generate a lot of FPs?