Scanning JuiceShop with SonarQube

sonarqube
scanner
(Omer Levi Hevroni) #1

Hey All,
SonarQube is a really good product - I gave it a try and I was amazed, thank you!

I tried to test it’s security capabilities. I took an intentionally vulnerable web application, OWASP JuiceShop and tried to scan it with SonarQube. To my surprise, there were almost no security issues detected. You can find the scan results here. I used the regular scanner, installed via brew on my local mac.
A list of all the security issues in JuiceShop can be found here. Can you help me understand what issues can be detected by SonarQube? I would expect to see XSS/NoSql/Sql injections at least reported…

2 Likes
(Alexandre Gigleux) #3

Hello,

The results you are getting are the expected ones. We support “only” 9 JS Vulnerability rules as of now on SonarJS: https://rules.sonarsource.com/javascript/type/Vulnerability. We know it’s not enough and we will improve that. JuiceShop is in our radar and that could be already a good achievement if we can raise the expected issues on it.

As of now, we are focusing on improving what we have on Java, C# and PHP. So let’s talk again in 6 months and see where we are :smile:

Alex

2 Likes
(Omer Levi Hevroni) #4

Hey Alex,
Thank you for your detailed response! Is there a place where I can register to get updates when the security rules for JS will be updated?