Q1) Does SonarQube use cookies (persistent or session) name/value pair to store any personal data (name, email address)?
Q2) Is the data encrypted which is stored in the database by SonarQube?
Q3) What methods [whitelisting, blacklisting, input validation, output encoding, escaping etc.] are used to prevent XSS attacks (reflected, stored, dom based)? (at client-side and server-side)
Q4) Are URL redirects (301-Permanent, 302-Temporary, URL Frame) validated against a whitelist of authorized URLs during redirection requests?
Q5) What controls in place to prevent directory traversal?
Q6) How does SonarQube sanitize structured data such as XML and JSON, if applicable for this applicable (APIs, Web services)?
Q7) What protections are in place to protect against injection based attacks like SQLi, OS/Command (e.g. parameterized queries, bind variables, ORM, input validation)?
Q8) Is xss and sql protection enabled explicitly for HTTP request headers as well?
Q9) Does SonarQube allow HTML in any user input field? If yes, how is this sanitized so that harmful html characters are not rendered to the user’s browser? (if applicable for SonarQube)
Q10) What HTTP methods (GET, POST, PUT, DELETE etc.) are supported by the SonarQube 7.9.1?
Q11) Whether below security response headers are implemented/partially implemented/not implemented by SonarQube?
- HTTP Strict Transport Security:
- Content-Security-Policy:
3, X-XSS-Protection: - X-Frame-Options:
- Set-Cookie: secure,httponly,path,domain -
- Cache-Control: no-cache, no-store, must-revalidate -
Q12) Does SonarQube implement Anti-CSRF token? If N/A, please provide a reason.
Q13) Do you check the value server side on hidden fields, drop downs and radio buttons (i.e. parameter tampering)? (if applicable for SonarQube)
Q14) Has the source code for this SonarQube release i.e. 7.9.1 been reviewed (manual and automated inspection) for security flaws?
Q15) Is the source code properly obfuscated to avoid disclosure of proprietary information, such as framework details, comments written by developers, hardcoded passwords in the html/source code?
Q16) Can Autocomplete be turned OFF for Login page for user credentials?
Q17) Are session identifiers random/unpredictable and sufficiently long?
Q18) Do session variables contain any sensitive information like name, email id, user id, csrf token etc.?
Q19) How will the user session be verified after successful authentication?
Q20) Does the application generate a unique Session ID for each session?
Q21) Does a user Session time out? If yes, what is the time to live?
Q22) Does a user Session invalidate after 1. log out, 2.after browser closure, 3.after failed login attempt and successful login?
Q23) Is concurrent login allowed for all or specific users? If yes, why?
Q24) Is sensitive data (username, token, session ID, parameter values) passed in a query string/URL?
Q25) Does the application/system logs contain any sensitive data (user id, hashed passwords, csrf token, post auth. Session id) ? If yes, is it masked or encrypted?
Q26) Does the application generate user activity logs for login/logout, password change, session timeout, access attempts?
Q27) Does the application have logging capabilities enabled for security related events? If so, what data is captured/logged?