SonarCloud does not detect command injection problems

Make sure to read this post before raising a thread here:

Then tell us:

  • What language is this for?

  • Which rule?

  • Why do you believe it’s a false-positive/false-negative?
    Command injection is a common issue. It might be trivial but is still seen from time to time.

  • Are you using

    • SonarCloud
  • How can we reproduce the problem? Give us a self-contained snippet of code (formatted text, no screenshots)

Hi @Herschdorfer and welcome to the community!

Indeed, Sonar C and C++ analyzer offers only a limited set of security rules. So far we have maintained our focus on the quality of the code rather than its security. Yet, as you might know, quality and security are correlated.

In particular, we have not invested in the detection of injection vulnerabilities, including the command injection.

We do have it on our radar, however. I have recorded your interest in CPP-4903.


This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.