No OWASP vulnerability found against OWASP juice shop

Hello, I’m running Sonarqube community edition version without any additional plugins or tools.

I wanted to test the performance of my Sonarqube setup by having it scan a locally cloned owasp juice shop repo: GitHub - juice-shop/juice-shop: OWASP Juice Shop: Probably the most modern and sophisticated insecure web application

It found things for confusing, brain-overload and suspicious but no owasp.

Is it expected? Or did I have a configuration error? I was under the impression that I should get some owasp for an owasp intentional vulnerable web app.


I believe the issues you’re expecting are going to be raised only (mostly?) in commercial editions. This blog post may help.


Hi @ganncamp thanks for the response. Looks like I need to either get SonarCloud or get the Developer version of Sonarqube.

1 Like

You’re quite welcome!

And SonarCloud is free for open source projects.


@ganncamp do you happen to know where the blog got the Ground Truth & Results table from? I’m trying to look for a list of vulnerabilities and their locations in juice shop app but wasn’t able to.


I suspect it was the author’s own work, probably based on an analysis grounded in what’s available on the Juice Shop pages. But I’ll ping him.


Thanks that would be really great. There is a table under the Challenges tab but that’s as far as I could go. I didn’t find their location in the source code.


As far as I can remember, we built manually the initial ground truth based on the Challenge Solutions and on top of that, we added one or two vulnerabilities that were detected by SonarCloud and that were not expected by any challenge but that our AppSec guys confirmed as a TP.


1 Like

@Alexandre_Gigleux thanks for the response. It is very cool that you guys build the chart yourselves. I noticed that in the blog post you emphasized a lot more on injection vulnerabilities than other ones. Why did you only reference the stats of injection vulnerabilities for evaluating the tool?

Regarding a benchmark run against the OpenSSF CVE Benchmark project, as mentioned in the blog post, is there a estimated date that it’ll be performed?

We focused on the injection vulnerabilities because that’s one of the most complex types of vuln. to detect with static analysis and that is part of the value we provide to our customers on SonarCloud or with SonarQube Developer Edition.

Running against the “OpenSSF CVE Benchmark”?
To be honest it is currently on pause mode as we are focusing on other priorities AND because the OpenSSF CVE project is no longer moving from what I can see. I was expecting it to be extended to more CVEs, and more languages but looks like no one is still working on it actively.

Thanks for your answer. It’s unfortunate that the project is not moving forward. Looking forward to more benchmark project being tested on Sonar product.

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.