Many major vulnerable code not detected by sonar-way rules but were identified by findbugs plugin


The default sonar-way is not detecting some major flaws in code.

Sonarqube Community Edition version - 9.7.1
Sonar scanner -
Findbugs Plugin - 4.2.2

Objective - Trying to find all the possible vulnerabilities in the java code.

Created 2 projects in sonarqube with different quality profile.

  • Project A - Used default profile for java (sonar-way)

  • Project B - Used a customer profile which uses rules from findbugs plugin

Below is one if the errors listed by findbugs plugin.

This usage of java/lang/ProcessBuilder.command([Ljava/lang/String;)Ljava/lang/ProcessBuilder; can be vulnerable to Command Injection

Explanation - The highlighted API is used to execute a system command. If unfiltered input is passed to this API, it can lead to arbitrary command execution.

Then above issue is not detected by sonar-way


Hello Praveen and welcome to the community!

The detection of injection vulnerabilities is not part of the Community Edition. You will need Developer Edition or higher. See “available in” at Java static code analysis: OS commands should not be vulnerable to command injection attacks.

Other than that, I would need at least the code in question to say more about this.