Hey All,
SonarQube is a really good product - I gave it a try and I was amazed, thank you!
I tried to test it’s security capabilities. I took an intentionally vulnerable web application, OWASP JuiceShop and tried to scan it with SonarQube. To my surprise, there were almost no security issues detected. You can find the scan results here. I used the regular scanner, installed via brew on my local mac.
A list of all the security issues in JuiceShop can be found here. Can you help me understand what issues can be detected by SonarQube? I would expect to see XSS/NoSql/Sql injections at least reported…
2 Likes
Hello,
The results you are getting are the expected ones. We support “only” 9 JS Vulnerability rules as of now on SonarJS: https://rules.sonarsource.com/javascript/type/Vulnerability. We know it’s not enough and we will improve that. JuiceShop is in our radar and that could be already a good achievement if we can raise the expected issues on it.
As of now, we are focusing on improving what we have on Java, C# and PHP. So let’s talk again in 6 months and see where we are 
Alex
2 Likes
Hey Alex,
Thank you for your detailed response! Is there a place where I can register to get updates when the security rules for JS will be updated?
Hello,
Finally, I’m able to give you an update on your request. Our JS/TS SAST engine is better than ever and you can check what it can detect on JuiceShop here: https://sonarcloud.io/project/issues?id=agigleux_juice-shop&resolved=false&types=VULNERABILITY.
We would be very happy to get your feedback.
Thanks
Alex
1 Like