Is this OWASP issue a false positive?


We have the following issue flagged by SonarQube:

However, reading more about this vulnerability, it seems that this is a concern when using window.addEventListener(“message”), that receives events from postMessage() but in our case, we are not listening to “message” events (listening to “resize” event in the screenshot above).

So is this a false positive?

(We are on SonarQube Developer Edition, version 8.9.6)

We have noticed the same issue (or a related one) in the case of the Chromium-specific beforeinstallprompt event.

1 Like

Any idea @sonarsourcers?

Hi @samwise ,

The issue was already resolved but not in the version that you are using. Upgrading to 9.4 will resolve the issue.

In the future, please make sure to follow the “How to Report a False-positive / False-negative” guide, thanks!


This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.