Sonarqube: 9.6.1-developer
Scanner: 4.7.0.2747
Hello people,
I am trying to trigger a vulnerability rule specifically to test the sonar scanner in being able to actually report all issues that are assigned by Quality Gates/Profiles. I chose the javascript rule as in JavaScript static code analysis | Vulnerability: Weak SSL/TLS protocols should not be used (sonarsource.com).
NodeJS is already preinstalled on the sonar scanner image like you can see from the Dockerfile in sonar-scanner-cli-docker/Dockerfile at master · SonarSource/sonar-scanner-cli-docker · GitHub.
I introduced the following (non-compliant) code which should trigger the above rule.
let https;
try {
https = require('node:https');
} catch (err) {
console.log('https support is disabled!');
}
let options = {
secureProtocol: 'TLSv1_method', // Noncompliant: TLS1.0 is insecure
hostname: 'google.com',
port: 443,
path: '/',
method: 'GET'
};
let req = https.request(options, (res) => {
res.on('data', (d) => {
process.stdout.write(d);
});
}); // Noncompliant
req.on('error', (e) => {
console.error(e);
});
req.end();
However, the sonar-scanner does not report any issues. I checked whether the assigned Quality Profile activated the rule. If I run above code locally, it runs without errors and returns HTTP code 301.
This is an excerpt from the logs, the file is being found, it also appears under “Code” in the Sonarqube Server Project UI:
INFO: Sensor JavaScript analysis [javascript]
INFO: Deploying custom rules bundle jar:file:/opt/sonar-scanner/.sonar/cache/985cd0bb0f213099aac4466b1eea8b9a/sonar-securityjsfrontend-plugin.jar!/js-vulnerabilities-rules-1.0.0.tgz to /builds/devopstestfield/sonarqube-dummy/.scannerwork/.sonartmp/eslint-bridge-bundle/package/custom-rules6074324365239266430
INFO: 1 source file to be analyzed
INFO: 1/1 source file has been analyzed
INFO: Sensor JavaScript analysis [javascript] (done) | time=5482ms
What am I missing? How can I trigger this rule on purpose?
Thanks in advance!