Hello,

For my graduation internship I have to research various code analysis tools. These should be able to check for vulnerabilities from the OWASP Top 10. Well I started working with SonarQube and SonarLint and created an ASP.NET project in which I make the vulnerabilities possible. But as soon as I run the project with SonarScanner for MSBuild and look in the dashboard of SonarQube I see that only bugs have been detected and no vulnerabilities. But I don’t get any notifications in Sonarlint either. I am using the very latest version of SonarQube Community Edition, SonarLint and SonarScanner.

I know for sure that a SQL Injection and XSS is possible in my application, but SonarQube or SonarLint doesn’t show it. Am I doing something wrong or is it just not possible with the Community Edition of SonarQube?

Injection Vulnerabilities are available in Developer Edition and up for SonarQube, or free for open source projects on https://sonarcloud.io!

Thank you for your fast response. Is it possible in the trial version of the Developer Edition?

Sure, but I think you’ll have a hard time getting a trial for a graduation project (trials are meant for companies who may intend to purchase the product)

Ok, the company where I do an internship will purchase a code analysis tool based on my advice. So I just try it and otherwise my advice will be to the company that they have to apply themselves to try the Developer Edition.

please can i use Sonarlint plugin locally(without sonarqube server) to scan for vulnerabilities(security defects)