SonarCloud not detecting vulnerability

  • ALM used - Gitlab

  • CI system used - Gitlab

  • Scanner command used when applicable : sonar-scanner -Dsonar.qualitygate.wait=true

  • Languages of the repository : Nodejs, typescript

  • Only if the SonarCloud project is public, the URL : Private

    • And if you need help with pull request decoration, then the URL to the PR too
  • Error observed (wrap logs/code around with triple quotes ``` for proper formatting) : Introduced a security vulnerability from example given in sonar documents. Screenshot attached. But it is not detected. Line number 6 for example in below screenshot is an example of code that has vulnerability. Note that here we have avoided build step and directly running sonar as first step in gitlab CI.

  • Steps to reproduce : Adding the code to default main branch.

  • Potential workaround : None

Hi,

Welcome to the community!

Can you verify that the relevant rule is active in your Quality Profile, please?

 
Ann

Hi, Thanks for response. I verified that default SONAR WAY quality profile has vulnerability and security rules active. However, there are two behaviors i can see:

  1. I can also see that under quality profile for main branch, it shows as not computed. This appears to be due to New code definition set. I will work with admin to see if setting it fixes the issue:

image

  1. However for sonar_testing branch i created to test this , i can see that Quality Gate shows as failed. Since no specific quality gate is set for project, I am guessing that default sonar way profile was applied to this branch. In sonar way the relevant rule was “Regular expressions should not be vulnerable to Denial of Service attacks” and is active. Vulnerability is not reported

Hi,

I’ve moved this to the False-positive / False-negative category. There’s just one detail missing: what rule did you expect to raise an issue on this?

 
Thx,
Ann

Hi, Sorry for the delay. As you can see the first screenshot in this post would match the below rule and example given for he rule:

Also, inserted another vulnerability from example given. This one also is not showing as vulnerability (Still shows 0 as count), however comes up in security hotspots:

1 Like