Hi,
The default sonar-way is not detecting some major flaws in code.
Sonarqube Community Edition version - 9.7.1
Sonar scanner - 4.7.0.2747
Findbugs Plugin - 4.2.2
Objective - Trying to find all the possible vulnerabilities in the java code.
Created 2 projects in sonarqube with different quality profile.
-
Project A - Used default profile for java (sonar-way)
-
Project B - Used a customer profile which uses rules from findbugs plugin
Below is one if the errors listed by findbugs plugin.
This usage of java/lang/ProcessBuilder.command([Ljava/lang/String;)Ljava/lang/ProcessBuilder; can be vulnerable to Command Injection
Explanation - The highlighted API is used to execute a system command. If unfiltered input is passed to this API, it can lead to arbitrary command execution.
Then above issue is not detected by sonar-way
Thanks,
Praveen