Security issues are not found

SonarQube for IDE VS Code
, ,
1

I am using this code for test:

$id = $_GET['id'];
mysql_connect('localhost', $username, $password) or die('Could not connect: ' . mysql_error());
mysql_select_db('myDatabase') or die('Could not select database');

$result = mysql_query("SELECT * FROM myTable WHERE id = " . $id);  // Sensitive, could be susceptible to SQL injection

while ($row = mysql_fetch_object($result)) {
    echo $row->name;
}

Sonarlint is not detecting any issue with this code. I tried not standalone and connect modes. I am confused.

2

Hello @Vikas_Singhal,

Welcome to the SonarSource community and thank you for your first PHP contribution.

There is indeed a vulnerability in your sample code and it won’t be detected by SonarLint because our Security Engine is not activated/embedded on SonarLint.
This vulnerability will be detected if you are scanning your code with SonarQube Developer Edition or on SonarCloud.io

image
image.png1436Ă—636 92.2 KB

On SonarCloud it’s really easy and fast if you are relying on AutoScan. Just add a .sonarcloud.properties file in your GitHub repository and if you will see the results quickly: https://sonarcloud.io/project/issues?id=agigleux_sonarsource-community-13571-autoscan-php&open=AWzOaIBEfirc4xEvB1Az&resolved=false&types=VULNERABILITY

Regards

3 Likes
3

Thanks @Alexandre_Gigleux. So you are saying that its not possible to detect this vulnerability via SonarLint even if I use Dev edition or SonarCloud?

4

Indeed, it’s not yet possible to detect this vulnerability thanks to SonarLint, so in your IDE. That’s not ideal and hopefully we will enable that feature sooner or later because we really want to provide such feedback as soon as possible to developers so while they are coding.

But, as I said before, you will detect this vulnerability by relying on a server analysis, so by using SonarQube Developer Edition or SonarCloud.io.

5

Thanks for your response. So just to be clear, SonarLint won’t be able to catch any security issues (across all languages?), because all linting is done locally, even in Connected mode?

6

SonarLint will find some security issues. The one that are reported directly by code analyzers. It means issues that doesn’t require too much computation. You can find the list here:
https://rules.sonarsource.com/php/type/Vulnerability

Advanced security issues requiring for example tainted analysis are not detected currently by SonarLint. In SonarQube/SonarCloud side they are detected by a separate engine (cross language). Look at https://docs.sonarqube.org/latest/analysis/security_configuration/ for the list of security rules that are not supported by SonarLint.

And yes, all linting is done locally, even in connected mode. Connected mode is simply synchronizing configuration between server and SonarLint, to ensure the most consistent results, but with a few limitations (and advanced security issues is one of those limitation).

7

Thanks Julien. I tried the following code (taken from the PHP rules URL you provided):

<?php

$filename = $_GET["filename"];
include $filename . ".php";

The IDE is VSCode with SonarLint without connected mode (as it doesn’t make any difference from testing standpoint anyway). There is no problem detected by SonarLint. Here is the output from the plugin:

Executing /Library/Java/JavaVirtualMachines/jdk-12.0.2.jdk/Contents/Home/bin/java -jar /Users/vsinghal/.vscode/extensions/sonarsource.sonarlint-vscode-1.10.0/server/sonarlint-ls.jar 55137 file:///Users/vsinghal/.vscode/extensions/sonarsource.sonarlint-vscode-1.10.0/analyzers/sonarjs.jar file:///Users/vsinghal/.vscode/extensions/sonarsource.sonarlint-vscode-1.10.0/analyzers/sonarphp.jar file:///Users/vsinghal/.vscode/extensions/sonarsource.sonarlint-vscode-1.10.0/analyzers/sonarpython.jar file:///Users/vsinghal/.vscode/extensions/sonarsource.sonarlint-vscode-1.10.0/analyzers/sonarts.jar file:///Users/vsinghal/.vscode/extensions/sonarsource.sonarlint-vscode-1.10.0/analyzers/sonarhtml.jar
Binding to 55137
Child process connected on port 55137
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.sonarsource.sonarlint.shaded.com.google.gson.internal.reflect.UnsafeReflectionAccessor (file:/Users/vsinghal/.vscode/extensions/sonarsource.sonarlint-vscode-1.10.0/server/sonarlint-ls.jar) to field java.time.LocalDate.year
WARNING: Please consider reporting this to the maintainers of org.sonarsource.sonarlint.shaded.com.google.gson.internal.reflect.UnsafeReflectionAccessor
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
Analysis triggered on file:///Work/code/poc/ide-plugin-testing/sonarlint.php with configuration: 
[
  baseDir: /Work/code/poc/ide-plugin-testing
  extraProperties: {}
  excludedRules: []
  includedRules: []
  inputFiles: [
    file:///Work/code/poc/ide-plugin-testing/sonarlint.php (UTF-8) [php]
  ]
]

Starting standalone SonarLint engine...
Using 5 analyzers
Create : /Users/vsinghal/.sonarlint/plugins
Plugin cache: /Users/vsinghal/.sonarlint/plugins
Create : /Users/vsinghal/.sonarlint/plugins/_tmp
Load plugins
Load plugins (done) | time=14ms
Plugins:
  * SonarPHP 3.0.0.4537 (php)
  * SonarPython 1.12.0.2726 (python)
  * SonarTS 1.9.0.3766 (typescript)
  * SonarHTML 3.2.0.2082 (web)
  * SonarJS 5.1.1.7506 (javascript)
[Info  - 11:45:47 AM] Starting SonarTS Server
Deploying bundle to /Users/vsinghal/.sonarlint/work/.sonartmp_7445351134669267468/971209022126498457
[Info  - 11:45:48 AM] Using typescript at [/Applications/Visual Studio Code.app/Contents/Resources/app/extensions/node_modules/typescript], version 3.5.2
[Info  - 11:45:48 AM] SonarTS Server is started
Standalone SonarLint engine started
[Info  - 11:45:48 AM] SonarTS Server connected to 55143
Available languages:
  * PHP => "php"
  * Python => "py"
  * TypeScript => "ts"
  * HTML => "web"
  * JSP => "jsp"
  * JavaScript => "js"
Start analysis
Declared extensions of language PHP were converted to php: **/*.php,**/*.php3,**/*.php4,**/*.php5,**/*.phtml,**/*.inc
Declared extensions of language Python were converted to py: **/*.py
Declared extensions of language TypeScript were converted to ts: **/*.ts,**/*.tsx
Declared extensions of language HTML were converted to web: **/*.html,**/*.xhtml,**/*.cshtml,**/*.vbhtml,**/*.aspx,**/*.ascx,**/*.rhtml,**/*.erb,**/*.shtm,**/*.shtml
Declared extensions of language JSP were converted to jsp: **/*.jsp,**/*.jspf,**/*.jspx
Declared extensions of language JavaScript were converted to js: **/*.js,**/*.jsx,**/*.vue
[Info  - 11:45:48 AM] Index files
Language of file 'file:///Work/code/poc/ide-plugin-testing/sonarlint.php' is set to 'php'
[Info  - 11:45:48 AM] 1 file indexed
Execute Sensor: PHP sensor
[Warn  - 11:45:48 AM] No workDir in SonarLint
[Info  - 11:45:48 AM] 1 source files to be analyzed
[Info  - 11:45:48 AM] 1/1 source files have been analyzed
Execute Sensor: Analyzer for "php.ini" files
'Python Squid Sensor' skipped because there is no related file in current project
'Contextual SonarTS' skipped because there is no related file in current project
Execute Sensor: HTML
'SonarJS' skipped because there is no related file in current project
'ESLint-based SonarJS' skipped because there is no related file in current project
Analysis triggered on file:///Work/code/poc/ide-plugin-testing/sonarlint.php with configuration: 
[
  baseDir: /Work/code/poc/ide-plugin-testing
  extraProperties: {}
  excludedRules: []
  includedRules: []
  inputFiles: [
    file:///Work/code/poc/ide-plugin-testing/sonarlint.php (UTF-8) [php]
  ]
]

Available languages:
  * PHP => "php"
  * Python => "py"
  * TypeScript => "ts"
  * HTML => "web"
  * JSP => "jsp"
  * JavaScript => "js"
Start analysis
Declared extensions of language PHP were converted to php: **/*.php,**/*.php3,**/*.php4,**/*.php5,**/*.phtml,**/*.inc
Declared extensions of language Python were converted to py: **/*.py
Declared extensions of language TypeScript were converted to ts: **/*.ts,**/*.tsx
Declared extensions of language HTML were converted to web: **/*.html,**/*.xhtml,**/*.cshtml,**/*.vbhtml,**/*.aspx,**/*.ascx,**/*.rhtml,**/*.erb,**/*.shtm,**/*.shtml
Declared extensions of language JSP were converted to jsp: **/*.jsp,**/*.jspf,**/*.jspx
Declared extensions of language JavaScript were converted to js: **/*.js,**/*.jsx,**/*.vue
[Info  - 11:45:59 AM] Index files
Language of file 'file:///Work/code/poc/ide-plugin-testing/sonarlint.php' is set to 'php'
[Info  - 11:45:59 AM] 1 file indexed
Execute Sensor: PHP sensor
[Warn  - 11:45:59 AM] No workDir in SonarLint
[Info  - 11:45:59 AM] 1 source files to be analyzed
Execute Sensor: Analyzer for "php.ini" files
[Info  - 11:45:59 AM] 1/1 source files have been analyzed
'Python Squid Sensor' skipped because there is no related file in current project
'Contextual SonarTS' skipped because there is no related file in current project
Execute Sensor: HTML
'SonarJS' skipped because there is no related file in current project
'ESLint-based SonarJS' skipped because there is no related file in current project
8

Sorry, my first response was misleading. The first link contains all rules, both the one available in SonarLint, and the one not available in SonarLint. RSPEC-5335 is not available in SonarLint.
You can quickly see it by looking at the top right of the rule description:
https://rules.sonarsource.com/php/type/Vulnerability/RSPEC-5335
image

This one should work in SonarLint:
https://rules.sonarsource.com/php/type/Vulnerability/RSPEC-2068
image