Reflected XSS not detected

I’m trying to test that sonar shows up a javascript reflected XSS vulnerability. I’m using this code, which is adapted from the sonar xss docs

const express = require('express');
const app = express();
app.get('/', (req, res) => {
  const json = JSON.stringify({ "data": req.query.input });
  res.send(json);
});
app.post('/', (req, res) => {
  const json = JSON.stringify({ "data": req.query.input });
  res.send(req.query.input);
});
app.listen(3000, () => {
  console.log('Server is running on port 3000');
});

However, sonarcloud analyzer did not pick up the xss vulnerability. I checked that the quality profile it uses has this rule enabled and it is enable
d. Anything else I can do? Did I write the code incorrectly?

edit:
turns out I’m also having the same issue in trying to see server cert validation rule with this code

const https = require('node:https');

const options = {
	hostname: 'encrypted.google.com',
	port: 443,
	path: '/',
	method: 'GET',
	rejectUnauthorized: false,
};

const req = https.request(options, (res) => {
	console.log('statusCode:', res.statusCode);
	console.log('headers:', res.headers);

	res.on('data', (d) => {
		process.stdout.write(d);
	});
});

req.on('error', (e) => {
	console.error(e);
});
req.end(); 

I’m wondering if I’m doing something wrong that affects both?

Hi @clavedeluna,

Thank you for your message and sorry for the late answer.

• We do detect the second XSS:

res.send(req.query.input);

• We do not detect the first one because of a mistake in the way we treat stringify. This is a false negative.

• We do detect the issues with TLS/HTTPS.

In order to detect vulnerabilities, SonarClound needs to know the context and thus needs a complete application. Maybe this is not the case with your tests.

Regards

Sebastien