No security vulnerabilities caught in very basic servlet application

Must-share information (formatted with Markdown):

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
    Community Edition Version 8.9 (build 43852)
  • what are you trying to achieve
    I added a simple servlet applications, i was expecting that it should caught some security vulnerabilities but i am getting zero vulnerabilities
  • what have you tried so far to achieve this
    Only basic setup is done.

I am able to do XSS attack on top of my application but it is not caught.
I added a javaruntime code to get the sever details, its a vulnerability to expose.
I added username and password in plain text in JSP even thought its a minor issue, but still it is a vulnerability which is not caught

Can you please suggest do i need to do any other setup to caught this kind of vulnerabilities?


Hello Mahesh,

welcome to the SonarSource community!

Injection vulnerabilities are not covered by the SonarQube Community Edition. You will need Developer Edition or above to have this kind of issues. You can also use SonarCloud though to test your code for injection vulnerabilities.

You can see in the rules explorer at the bottom what products/versions support a specific rule: S5131 (XSS).