Security Scanning with SonarQube?

SonarUser3 · August 16, 2019, 4:19pm

Hello everyone,

I am new to SonarQube. I tried using the search, but I did not find an answer, so apologies if this is a common question.

I am running SonarQube 7.9.1 on Ubuntu. I have also installed version 3.3.0.1492 of SonarScanner. I am going through the getting started tutorial that is presented when you start the console and browse http://127.0.0.1:9000.

I made a simple C# application that is vulnerable to SQL injection. See below.

    static void Main(string[] args)
    {
        int i = 0;
        VeryVeryBadSQL(args[0]); 
    }


    static void VeryVeryBadSQL(string pId)
    {
        SqlConnection conn = new SqlConnection("SomeConnectionString");
        SqlCommand comm = new SqlCommand();

        comm.Connection = conn;
        comm.Connection.Open();
        comm.CommandType = System.Data.CommandType.Text;
        comm.CommandText = "SELECT * FROM SomeTable WHERE ID = '" + pId + "'";

        var reader = comm.ExecuteReader(); 
    }

When running SonarScanner against this, no SQL injection vulnerabilities are identified. Why is this? Do I need to add a plugin or something? If so, can someone direct me to a resource that shows how to do this?

Thanks,

Must-share information (formatted with Markdown):

which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
what are you trying to achieve
what have you tried so far to achieve this

Colin · August 16, 2019, 8:25pm

Dave,

What edition of SonarQube are you using? Injection vulnerability detection is available in Developer Edition and above, or on https://sonarcloud.io (free for open source projects).

Colin

SonarUser3 · August 16, 2019, 8:39pm

Hi Colin,

Thanks for the response. I downloaded the community edition from this site: https://www.sonarqube.org/downloads/ . This edition says it has security hotspots and vulnerabilities. Does SonarQube classify injections as something other than these?

Thanks,

Dave

Colin · August 16, 2019, 8:54pm

The detection of Injection Vulnerabilities is a Commercial feature so far as SonarQube is concerned!

Detection of Security Hotspots (make sure _____ is safe here) and other kinds of vulnerabilities (hard-coded credentials, left-over logging, etc.) are available in the Community Edition.

SonarUser3 · August 16, 2019, 8:56pm

Thanks Colin!

SonarUser3 · August 16, 2019, 9:15pm

I’ve got a followup… I just added some hard coded credentials.

    public const string USER_NAME = "User1";

       public const string PASSWORD = "Password1!";

I still have 0 security findings after doing a scan. Why would it be missing this?

Thanks

Topic		Replies	Views
Does SonarQube detect SQL injection vulnerabilities in Community Edition? SonarQube Server / Community Build python	1	2459	October 29, 2023
Does sonarqube detect sql injection vulerabilities? SonarQube Server / Community Build sonarqube	2	612	February 2, 2023
Unable to scan the vulnerability SonarQube Server / Community Build sonarqube	3	694	July 26, 2023
Enterprise edition not picking up sql injection SonarQube Server / Community Build csharp , security	9	2818	January 28, 2020
SonarQube isn't detecting SQL injection coding issues SonarQube Server / Community Build sonarqube , scanner	1	17	February 28, 2025

Security Scanning with SonarQube?

Related topics