No vulnerabilties in SonarCloud

Hi,

I did follow up the advise I got from my last question here (No OWASP vulnerabilities in my project) and added SonarCloud to my Azure Devops Pipeline. But because my project was written with ASP.Net Framework it didn’t work. So i rewrote the project in ASP.Net Core and now the build pipeline worked and it’s possible to view my project in SonarCloud.

But when I view my project on SonarCloud.io I still see that there are no vulnerabilities possible in my project. I’m using the Sonar Way quality profile for the code analysis. In my proof of concept it’s possible to do a SQL Injection and XSS.

The code for the SQL Injection is:

var userdetails = _context.Users.FromSqlRaw($“SELECT * From Users Where UserName=’{model.UserName}’ and Password Collate Latin1_general_CS_AS =’{model.Password}’”).FirstOrDefault();
if (userdetails == null)
{
ModelState.AddModelError(“LoginErrorMessage”, “Verkeerde gebruikersnaam of wachtwoord.”);
return View(“Index”, model);
}

And if I login into my page with ’ or ‘1’ = '1 then it shows the first user in my database.

Am I missing something or doing something wrong? I don’t know where to look anymore.

Hello,

Can you share a link to a repo containing your reproducer?

Thanks
Alex

I’m not sure how to do that? The repo is in my Azure DevOps environment and I can’t find a button to share the repo anywhere. I looked if I saw it on GitHub, but I couldn’t find it there.

If your reproducer / code is on GitHub, you can give me access using my nickname https://github.com/agigleux.

When I did everything right (copy the repo from Azure DevOps and upload it to GitHub), you should have access to my repo.

Hello,

Thanks for the reproducer, it helped to understand the problem.

SonarCloud is not raising the issue you expect because it ignores “auto-property”. Here is an example of a very simple False-Negative because of this limitation.

public class Model
{
   public int Value { get; set; }
}

public class MyController : Controller
{
    public IActionResult Index(Model model)
    {
        sink(model.Value); // FN - model.Value is mapped to `model.Value.get` getter method, which has no body in its declaration, so SonarCloud ignores it
    }
}

The problem is referenced under SONARSEC-517 (internal ticket).

Thanks
Alex