which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
Sonarqube Version 9.2.4
what are you trying to achieve
We are developing project in React Native. It’s not been so long since we have started the project and the line of code we have so far is not much. I think due to less lines of code, we are not able to see multiple vulnerabilities in the scan report. We are getting the security issues reported in Sonarqube scan through CI/CD pipeline but I’m not much confident if the code is scanned efficiently as the count of issues reported are only few. It might be due to any missing congratulations from our end or our code actually not having much vulnerabilities. But just wanted support to ensure if we heading in right direction.
Is it possible for you to share some sample React Native project that intentionally has the vulnerable code to assess that our setup is working completely fine? Also, can you please provide Sonarqube official documentation to setup scanning for React native code.
what have you tried so far to achieve this
Scanning code through CI/CD pipeline and Manually.
There’s no special analysis setup for anything written in JavaScript. If you’ve got a successful analysis and all your code is visible on the Code tab, you’ve likely done it right.
Regarding sample projects to analyze, I’ll ask internally for a recommendation.
I came across a scenario wherein I pasted the same code that is mentioned as Non compliant code under Javascript section(below is the sample) and invoked scan through CI/CD. Sonarqube covered those lines of codes in scanning but didn’t highlight that as vulnerability.
app.post(’/login’,
passport.authenticate(‘local’, { failureRedirect: ‘/login’ }),
function(req, res) {
// Sensitive - no session.regenerate after login
res.redirect(’/’);
});
Please suggest if there’s any change required in the configuration to ensure non-compliant code must be highlighted after scan is over.
What capacity is missing in Sonarqube to successfully scan React Native code?