JS SQL injection detection miss

dbrin · August 12, 2025, 10:48pm

Sorry to bring back an old thread, but there is a Jira ticket listed in a resolution and I cant see the status of the ticket:

Old thread: Basic SQL injection not detected in JS files - Rules and Languages / Report False-positive / False-negative… - Sonar Community

I ran into this issue recently, on Data Center Edition, v2025.1.1

Colin · August 13, 2025, 8:43am

Hey @dbrin

I can confirm that ticket, which is in a private backlog, is still open.

@Loris how’s it going?

Loris · August 13, 2025, 9:17am

Hello @dbrin, thanks a lot for bringing this ticket back to my attention!

Between 2022 and today, we wrote an entirely new JS engine for complex JS data flow tracking, which (among other things) definitely unprioritized and slowed down this ticket’s implementation.

I cleaned-up the ticket and updated it, and this should now be closed in the next iterations

Thanks,

Loris

Topic		Replies	Views
Basic SQL injection not detected in JS files Report False-positive / False-negative... javascript , sonarqube	6	1326	September 5, 2022
Database queries should not be vulnerable to injection attacks Report False-positive / False-negative... javascript , sonarqube , security	1	619	September 27, 2022
JSSecurity SQL Injection Analysis SonarQube Cloud javascript , security , sonarqube-cloud	10	566	March 11, 2024
Sonarqube not detecting SQL injection in Java code SonarQube Server / Community Build	2	1218	March 25, 2021
Scanning JuiceShop with SonarQube SonarQube Cloud sonarqube , scanner	3	2321	April 8, 2021

JS SQL injection detection miss

Related topics