Hi team.
We have the SonarQube Development version as part of the security toolkit. We wanted to test the sonar effectiveness, then we performed a set of tests over OWASP Benchmark (it’s just a java project with different vulnerabilities (link)). The problem is that we got better results with the free version of sonar cloud.
Test data
• SonarCloud free version (Sonar way quality profile)
• SonarQube Developer Edition Version 8.5.1r (Sonar way and sonar way security quality profiles)
In all cases, Sonar way was used as quality gate.
Definition
Success: It is a True positive. It happens when a file has a vulnerability, and sonarQube was able to detect this vulnerability.
Results with the configuration of your quality profile
• Sonarcloud achieved a 40.28% of success
• Sonar development with sonar way quality profile achieved a 15.9% of success
• Sonar development with sonar way security quality profile achieved a 10 % of success
We would like to know if there is an alternative to improve sonar performance in detecting these vulnerabilities. I think it is a configuration issue but I would like to get some ideas.