I have run a sonar scan over DVWA(damn vulnerable web application) which contains simple XSS vulnerability and notice that SonarQube Enterprise edition was not able to detect simple XSS vulnerability However we have notice that if we scan from old version of sonar community version we can detect XSS vulnerability.
We are using Enterprise Edition Version 9.6.1 which is failing to detect XSS vulnerability however old version i.e Community Edition Version 8.2 was able to detect XSS vulnerability.
Is there is any change in plugin development as it is fail to detect simple XSS based vulnerability on given below code?
We assume you are referring to this file. No issue is raised here because in the file the user input is only concatenated into a string but the string is not outputted here. To be more technical, in this file there is no sink.
The file is included in another file and there the variable is printed but unfortunately, our analyzer is not yet able to fully resolve the include statements. Thus, it does not detect that the user input ends up in an echo call.
I am not sure what you mean in regard to Community Edition. The Community Edition is not able to detect injection vulnerabilities like XSS at all and never was. I have just scanned DVWA with CE 8.2 to confirm, there are no XSS findings.
Good question. It depends on the framework that is in use. For example, most modern frameworks use templating engines and those are very hard to understand with static analysis. After all, the templates have their own language and are parsed by your application.
We support some templating engines (e.g., Thymeleaf). Though, for PHP there is no templating support yet, so no XSS vulnerabilities are detected in Twig, Blade, or Smarty.