OWASP Rules not applied on C# and VB.NET code

Hello,

I am using community edition of SonarQube version 8.2. In this version I can see OWASP related rules for both C# and VB.Net language, however when I execute the SONAR scanner for MSbuild on my C# and VB.NET projects, no OWASP related issue is reported. I have specifically added OWASP issue in my code and still not getting any OWASP issue.

I have added below sample code, where I am taking input from textbox. This code meet with “Formatting SQL queries is security-sensitive” rule key csharpsquid:S2077 Tag owasp-a1
string oString = string.Format(“SELECT * FROM Table1 WHERE col1 = ‘{0}’”, strInput);
SqlCommand oCmd = new SqlCommand(oString, myConnection);
myConnection.Open();

string oString = “SELECT * FROM Table1 WHERE col1 = '” + strInput + “’”;
SqlCommand oCmd = new SqlCommand(oString, myConnection);
myConnection.Open();

Similarly I have added one more code, matching with rule “Generic exceptions should not be ignored” key csharpsquid:S2486 tag owasp-a10
string text = “”
try
{
text = File.ReadAllText(fileName);
}
catch (Exception exc)
{
}

Can you please provide me some guidance that why I am not getting issue matching the above tags? Is these OWASP rules are available for developer edition?

Thanks,
Rajat

Hi Rajat,

Welcome to the community!

Are you sure the rules in question are included in your Quality Profile? You can make sure by scrolling to the bottom of the rule detail to see the list of profiles it’s in. E.G.

 
HTH,
Ann

Thanks Ann for response. Yes these rules are included in quality profile:

Thanks

Hi,

Thanks for the screenshot!

That’s as far as I can go on this topic. This thread is tagged for attention from the language experts. They should be along soon* to look at this.

 
Ann

For some definition of “soon”. :joy:

Hello @Rajatgoy

S2077 is a security-hotspot and since SonarQube 8.2, security-hotspots have a new dedicated space:
Screenshot_2020-04-14 Security Hotspots(1)
You should be able to find your first sensitive code example there:

For your second code example, a ticket has been created to handle this case:

string oString = “SELECT * FROM Table1 WHERE col1 = '” + strInput + “’”;
SqlCommand oCmd = new SqlCommand(oString, myConnection); // Sensitive
myConnection.Open();

For your third code example, in my case the issue is correctly raised:

string text = “”
try
{
text = File.ReadAllText(fileName);
}
catch (Exception exc)
{
}

Eric

Thanks @eric.therond for the update. Some how, I am not getting any error other then below

I have also noted that during rebuild my project code, I am getting below type of warning:
CSC : warning CS8032: An instance of analyzer SonarAnalyzer.Rules.CSharp.NativeMethodsShouldBeWrapped cannot be created from

Do you think that this could be a issue that why I am not getting all errors?

Thanks,
Rajat

On further investigation on the warning “CSC : warning CS8032” reported while project rebuild option, I found that we need to upgrade the version of “Microsoft.Net.Compilers” from 1.0.0 to 1.3.2 via nuget manager.

Once done warning is suppressed and I can see all vulnerabilities in Sonar.

Thanks,
Rajat