which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
Sonarqube 9.9
how is SonarQube deployed: zip, Docker, Helm
Docker
what are you trying to achieve
Would like to achieve that XSS Vulnerabilites will be detected in Sonarqube Code Scan
what have you tried so far to achieve this
Currently trying to understand why rule has not detected vulnerability.
Hello together,
i am having an Java Backend where i am using Sonarqube for Code Scans.
Recently i found out that an XSS Vulnerability was not detected by Sonarcube and currently asking myself why this not was not detected by Sonarqube following rule in my quality profile for the scan included.
Rule: Endpoints should not be vulnerable to reflect cross site scripting (XSS) attacks
I was expecting in case if I have an nested object within my RestEndpoint Method like:
POST saveXYZ(MyObject abc) {…}
that in case if MyObject has an String attribute as input that is readed (abc.getInputString()) in my code, that the XSS Rule will give me an XSS-Vulnerability.
Is my understanding wrong or are nested objects not checked by Sonarqube / XSS-Rule.
How can i achieve this, that such Vulnerabilities will be detected in further automatically by Sonarqube.
public class OrderRequestDTO {
private String inputString;
}
public UpdateResponseDTO mapToUpdateResponseDTO(OrderEntity entity) {
UpdateResponseDTO dto = new UpdateResponseDTO();
dto.setInputString(entity.getInputString());
return dto;
}
Question / Open Point:
Assumption inputString is an TextBox within my frontend where user can enter malicious java-script.
I thought this will be detected by Sonarqube as an XSS Vulnerability because nested input parameter was not sanitized. Is this assumption maybe incorrect?
Thank you for the provided code. However, I do not well understand which platform you are using. You mentioned Spring Boot but the code does not look like Spring. It is more close to Jakarta code with @Path and @PUTJAX-RS annotations. Our detection depends on the frameworks used so maybe there is something in the code Sonarqube does not understand.
Can you please provide a more complete code so I can try to reproduce the issue you have? In particular, which library are you using with which versions, how are repository, OrderEntity and UpdateResponseDTO defined?