Regular expressions should not be vulnerable to Denial of Service attacks

Must-share information (formatted with Markdown):

• SonarQube Enterprise version 10.3

We see the rule for “Regular expressions should not be vulnerable to Denial of Service attacks” is enabled for one of our projects, the issue in particular is in the code and is being reported in GitHub but it doesn’t show up in SonarQube, could you help if there are any configuration changes that needs to be done for the issue to show up in SonarQube as well?

Thank you

Hi,

Would you mind providing a screenshot of this? And also of where it isn’t reported in SonarQube?

 
Thx,
Ann

Screenshot 2024-04-05 at 2.03.08 PM1778×1554 371 KB

Screenshot 2024-04-05 at 2.03.15 PM854×160 13.4 KB

Screenshot 2024-04-05 at 2.04.12 PM2374×1562 476 KB

Screenshot 2024-04-05 at 2.04.20 PM2242×1502 335 KB

Please see screenshots attached. Code scanning in GitHub is reporting the issue and the issue is not being picked up in SonarQube even when we have a similar rule available.

Thank you!!

Hi,

Thanks for the rule description screenshots. Could I see where the issue is raised in GitHub, redacted as necessary?

 
Thx,
Ann

The issue is raised here

Screenshot 2024-04-05 at 2.28.45 PM1274×182 26.6 KB

Hi,

Thanks for the screenshot. It seems to show that an issue is raised in Github, not by SonarQube analysis, which is what I thought you were saying, but by CodeQL.

Which language are we talking about? Could you please provide a compact code sample to reproduce this?

 
Thx,
Ann