For my graduation internship I have to research various code analysis tools. These should be able to check for vulnerabilities from the OWASP Top 10. Well I started working with SonarQube and SonarLint and created an ASP.NET project in which I make the vulnerabilities possible. But as soon as I run the project with SonarScanner for MSBuild and look in the dashboard of SonarQube I see that only bugs have been detected and no vulnerabilities. But I don’t get any notifications in Sonarlint either. I am using the very latest version of SonarQube Community Edition, SonarLint and SonarScanner.
I know for sure that a SQL Injection and XSS is possible in my application, but SonarQube or SonarLint doesn’t show it. Am I doing something wrong or is it just not possible with the Community Edition of SonarQube?
Sure, but I think you’ll have a hard time getting a trial for a graduation project (trials are meant for companies who may intend to purchase the product)
Ok, the company where I do an internship will purchase a code analysis tool based on my advice. So I just try it and otherwise my advice will be to the company that they have to apply themselves to try the Developer Edition.