- ALM used Bitbucket Cloud
- CI system used Bitbucket Pipelines
- Scanner command :
Using pipe: sonarsource/sonarcloud-scan:1.2.0 - Languages of the repository PHP
We did not see any SQL Injection Report, only XSS and other reports such as Quality Coverage, Bugs, Code Smells etc., are pulled up. Is there any different pipe to be used to pull the SQL Injection reports.
SQL injection issues are detected in the same way as the others. Thereâs nothing special to do.
Why do you expect such issues to be found in your project?
Do you know of a particular SQL injection issue which should be raised in your project?
We were able to see the results of the SQLInjection in another tool which were valid.
The sonarcloud scan was done on a legacy PHP one.
The issue which we were looking in the report was sql statements having appended variables.
The fact that you concatenate variables to a SQL query doesnât mean that thereâs a SQL injection vulnerability. Itâs more complex than that and we spend a lot of efforts to avoid false positives.
function sql_injection($c) {
$id = $_GET['id'];
mysqli_query($c, 'select * from t1 where id=' . $id); // vulnerability
}
function safe($c) {
$id = 42;
mysqli_query($c, 'select * from t1 where id=' . $id); // no vulnerability
}
If you really believe that SonarCloud should raise an issue in your project, can please share your code?
1 Like
Here are some queries:
âSELECT distinct user_id, company_id FROM user where site_id = " . $context[âsite_idâ] . " and user_email = 'â . $context[âemail_addressâ] . âââ;
âSELECT action_value, action_name FROM admin_action where affiliate_status=â. $status ." and admin_function = " .$admin_function;
Thank you.
However, itâs still not possible to say whether this code is vulnerable.
Whatâs inside $context when executing the first query?
If sonarcloud can tell that it contains user-controlled data, then it raises an issue: please see for yourself.
We try to track data flow quite deep but there are cases where we fail to track user-controlled data: thatâs what we call a false negative. If we can see your code (not just the line where the query is run), we can try to see whether an issue should indeed be raised and we can try to improve our analyzer.
Hi Pierre-Yves Nicolas,
We have similar requirement, please describe us how the sonarqube works from the attachment.
also, please explain us how to find out these type of errors in sonarqube portal (localhost:9000).
Thanks,
MPSR
Hi @pamuna,
Sorry, I donât understand your request.
Please open a new thread with a clear question.
Thanks.