Javascript vulnerability not found by Sonar Scanner

Sonarqube: 9.6.1-developer

Hello people,

I am trying to trigger a vulnerability rule specifically to test the sonar scanner in being able to actually report all issues that are assigned by Quality Gates/Profiles. I chose the javascript rule as in JavaScript static code analysis | Vulnerability: Weak SSL/TLS protocols should not be used (

NodeJS is already preinstalled on the sonar scanner image like you can see from the Dockerfile in sonar-scanner-cli-docker/Dockerfile at master · SonarSource/sonar-scanner-cli-docker · GitHub.

I introduced the following (non-compliant) code which should trigger the above rule.

let https;

try {
  https = require('node:https');
} catch (err) {
  console.log('https support is disabled!');

let options = {
    secureProtocol: 'TLSv1_method', // Noncompliant: TLS1.0 is insecure
    hostname: '',
    port: 443,
    path: '/',
    method: 'GET'

let req = https.request(options, (res) => {
    res.on('data', (d) => {
});  // Noncompliant

req.on('error', (e) => {


However, the sonar-scanner does not report any issues. I checked whether the assigned Quality Profile activated the rule. If I run above code locally, it runs without errors and returns HTTP code 301.

This is an excerpt from the logs, the file is being found, it also appears under “Code” in the Sonarqube Server Project UI:

INFO: Sensor JavaScript analysis [javascript]
INFO: Deploying custom rules bundle jar:file:/opt/sonar-scanner/.sonar/cache/985cd0bb0f213099aac4466b1eea8b9a/sonar-securityjsfrontend-plugin.jar!/js-vulnerabilities-rules-1.0.0.tgz to /builds/devopstestfield/sonarqube-dummy/.scannerwork/.sonartmp/eslint-bridge-bundle/package/custom-rules6074324365239266430
INFO: 1 source file to be analyzed
INFO: 1/1 source file has been analyzed
INFO: Sensor JavaScript analysis [javascript] (done) | time=5482ms

What am I missing? How can I trigger this rule on purpose?

Thanks in advance!

1 Like

Hi AERQAJ and welcome to the community!

Thanks for reporting this! It seems like we missed a small but important detail when implementing this: we raise an issue for the module https but not for node:https. So if you change the line to https = require('https'); it would raise an issue.

I have created an internal ticket to take care of this problem.

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.