Rules missing after upgrading from SQ 6.7.2 to 7.9.1

Hello

I have upgraded SonarQube from 6.7.2 to 7.9.1 (all plugins also).
After the upgrade I ran a scan and noticed a reduction in Blockers compared to what was in 6.7.2.
When comparing the two instances, I noticed some rules were missing after the upgrade to 7.9.1.
Please see attached document for details (will need to rename to findingX.docx for upload to work).

Any ideas how I can enable these rules again?

Thanks
Jason

(Edit by Ann to replace attachments with their contents)

RULE - Executing OS commands is security-sensitive

Missing for Java language.

SonarQube 6.7.2

image.png1408×225 28.3 KB

SonarQube 7.9.1

image.png1316×267 36.1 KB

RULE - Executing XPath expressions is security-sensitive

Missing for Java language.

SonarQube 6.7.2

image.png1412×203 19.7 KB

SonarQube 7.9.1

image.png1336×209 22.1 KB

RULE – Console logging should not be used

Missing for JavaScript language.

SonarQube 6.7.2

image.png1414×257 39.7 KB

SonarQube 7.9.1

image.png1350×182 29.2 KB

RULE – Dynamically executing code is security-sensitive

Missing for Java language.

SonarQube 6.7.2

image.png1416×188 20.3 KB

SonarQube 7.9.1

image.png1337×273 48.6 KB

Hi Jason,

SonarQube 7.9 LTS provides a taint analysis engine which is able to detect real injection vulnerabilities in Java, C# and PHP.

The following rules have been replaced in SonarJava:

• Executing OS commands is security-sensitive => OS commands should not be vulnerable to injection attacks
• Executing XPath expressions is security-sensitive => XPath expressions should not be vulnerable to injection attacks
• Dynamically executing code is security-sensitive => Dynamic code execution should not be vulnerable to injection attacks

These new rules are way more accurate and enable you to see the whole injection flow. Note however that the taint analysis engine is not available in SonarQube Community Edition. It is available for free in SonarCloud for open source projects.

Rule “Console logging should not be used” has been merged with “Standard outputs should not be used directly to log anything” as using console.log(...) is just printing to standard output. The security aspect will be covered by rule “Logging should not be vulnerable to injection attacks” when the taint analysis engine is available for javascript.

Cheers,
Nicolas

Nicolas

Thanks for the prompt and detailed response.

Jason