No issue detected in "Damn Vulnerable Web App"

php

(Pietro) #1

Dear all,

I apologize if I ask a wrong question at a wrong place, but I have to start somewhere.
I was trying to use sonar-scanner on a very small PHP code which is taught in introductory classess for web app security (the famous Damn Vulnerable Web Application, DVWA, http://www.dvwa.co.uk).

To much of my surprise the sonar did not find a single security issue in any of the 4 PHP files, all of them full of shell_exec, unsanitized input/output, GET for form-based authentication… (It ran with default “sonar-way” rules as I did not find anything else).

Anyway, I don’t want to criticize anyone and anything, just want to know if SonarQube is the right way to go, or at least if there are tools that are able to catch quite obvious security code flaws. I know that primarily SonarQube is meant to address the quality of code, but security, these days, should be part of quality coding, I believe.

Also, I think few years ago I was able to test Checkmarx and it did seem to be able to find blatant security issues in the code.

Thanks for any useful advice, regards,

Pietro


SonarPHP security good practices
(Alexandre Gigleux) #3

Hello Pietro,

What you can observe is what is expected as of now on DVWA. So far, the following rules will raise issues on DVWA:

  • RSPEC-2070: SHA-1 and Message-Digest hash algorithms should not be used in secure contexts
  • RSPEC-2964: “sleep” should not be called
  • RSPEC-3330: “HttpOnly” should be set on cookies

Our plans for 2019 is to raise much more issues on DVWA project and more generally to provide more security rules for PHP.

In our backlog, we have the following tickets that we are going to implement in Jan 2019:

  • MMF-1404: Unlock the Detection of Vulnerabilities on PHP source files
  • MMF-1488: SonarPHP: add 15 additional Security Hotspots

That will come to complete what we currently have on the Security Domain for PHP:

I really suggest you to create a Quality Profile dedicated to Security by activating only the Vulnerability and Security Hotspots rules. That will help you to stay focus only on that domain.

We are fully aligned with you that nowadays, it’s critical to have rules helping developers to protect their code against attacks and with SonarQube/SonarPHP we want to help Security Auditors and PHP developers on that field.
If you have any feedback regarding the 19+9 rules already available, feel free to share it on the Report a bug > False-positive > php section.

Regards