Sonar Enterprise is Not Detecting Cross Site Scripting Vulnerability In PHP project

I have run a sonar scan over DVWA(damn vulnerable web application) which contains simple XSS vulnerability and notice that SonarQube Enterprise edition was not able to detect simple XSS vulnerability However we have notice that if we scan from old version of sonar community version we can detect XSS vulnerability.

  • We are using Enterprise Edition Version 9.6.1 which is failing to detect XSS vulnerability however old version i.e Community Edition Version 8.2 was able to detect XSS vulnerability.
  • Is there is any change in plugin development as it is fail to detect simple XSS based vulnerability on given below code?
        $html .= '<pre>Hello ' . $_GET[ 'name' ] . '</pre>';

Hey there.

I cloned GitHub - digininja/DVWA: Damn Vulnerable Web Application (DVWA) and ran an analysis which found 17 injection vulnerabilities, 3 of which were XSS.

Can you point to a specific file/line in DWVA where you expect a vulnerability to be raised but isn’t?

Hello Saurabh and welcome to the community!

We assume you are referring to this file. No issue is raised here because in the file the user input is only concatenated into a string but the string is not outputted here. To be more technical, in this file there is no sink.
The file is included in another file and there the variable is printed but unfortunately, our analyzer is not yet able to fully resolve the include statements. Thus, it does not detect that the user input ends up in an echo call.

I am not sure what you mean in regard to Community Edition. The Community Edition is not able to detect injection vulnerabilities like XSS at all and never was. I have just scanned DVWA with CE 8.2 to confirm, there are no XSS findings.

Hi, Hendrick!

Thanks for Clarifying it, I have also check that Community edition was also not able to detect these Vulnerabilities.

In this situation I am curios, how effiicent a sonar scan would be in today’s MVC environment.

Once again thanks for clarifying.

Good question. It depends on the framework that is in use. For example, most modern frameworks use templating engines and those are very hard to understand with static analysis. After all, the templates have their own language and are parsed by your application.
We support some templating engines (e.g., Thymeleaf). Though, for PHP there is no templating support yet, so no XSS vulnerabilities are detected in Twig, Blade, or Smarty.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.