I’m trying to understand the SAST element of SonarCloud better. This article from last year touts the SAST engine as being able to detect Sql Injection threats where string manipulation has occurred. https://blog.sonarsource.com/sonarcloud-is-entering-sast-market
We’ve tested the following code in a PR hooked up to SonarCloud:
A C# MVC controller function with a user tainted parameter:
public ActionResult Test(string unsafeSql)
{
var service = new DummyService();
service.execute("SELECT * FROM TABLE WHERE a = '" + unsafeSql + "'");
return this.PartialView("MyView");
}
And a dummy service (separate file) with the following execute method:
internal void execute(string unsafeSql)
{
using (var conn = new SqlConnection("connectionstring"))
{
SqlCommand command = new SqlCommand(unsafeSql, conn);
conn.Open();
command.ExecuteNonQuery();
conn.Close();
}
}
Why doesn’t SonarCloud doesn’t pick up this vulnerability? What are the limitations to the SAST scanning in SonarCloud?
Is there a publicly available OWASP benchmark of SonarCloud SAST capability?
Hello @andrew.williams,
I scanned the OWASP Benchmark for Java last August 2019 in the context of writing this article: Takeaways from building a SAST product, and why OWASP benchmark is not enough
You can check the results here: https://sonarcloud.io/dashboard?id=org.owasp%3Abenchmark%3Aagigleux. Have in mind that the OWASP Benchmark is only containing Java cases and no C# cases.
Would you be able to share a zip file or best a public repository containing your reproducer so we can investigate why there is no issue raise on your simple SQLi case?
Thanks
1 Like
Thanks for your prompt reply 
This is an MVC project that demonstrates the issue. I’ve run it through our SonarCloud instance and it has failed to detect the Sql Injection threat.
Thanks
Hello,
There is a special handling of projects with names ending in “Test” or “Tests”. Unfortunately, you named your project “sast_test”, so the SAST engine is not executed which explains why you see nothing.
This is detailed here https://docs.sonarqube.org/latest/analysis/scan/sonarscanner-for-msbuild/, in the section “Detection of Test Projects”.
If you rename your project to something not containing “Test” or “Tests”, that should be fine.
Example using https://github.com/agigleux/sast_community_reproducer:
Regards
Alex
1 Like
Interesting!
The original code snippets are from a project without the word “Test” in, however, “Test” is the name of the action; would this have the same impact? The document you linked to doesn’t suggest it would.
I shall rename this project and try again for now.
Thanks Alex. I can see this working for myself now which is great, but it’s not working in our actual codebase.
How can I get some support on our actual issue?
Hello,
If you have any commercial questions regarding your code that is privately scanned on SonarCloud, the best is to get in touch with the SonarCloud Team directly using the contact form: https://sonarcloud.io/about/contact
In the meantime, I believe the first actions would be to share here some details about your project so that everyone in the community can participate and maybe another users would have faced the same problem and will help you. Information such as:
- .NET Framework or .NET Core? Which version?
- Web Framework involved?
Sharing anonymized logs of the scan could also help to identify wrongly configured scan that don’t even trigger the SAST engine (the case you faced with “Test” project).
Then the ideal situation is to provide a reproducer, so basically what you started to do and make it more and more complex until it is looking like your real project. Without this, it’s impossible to investigate false-negative.
1 Like
Sorry Alex. I’m struggling to find the logs of the scan. Can you tell me how I would find these?
Hello,
Scan logs are on your side, where your run your build / your CI. They are not on SonarCloud UI side.
Alex
Hello,
I’m still working on creating a reproducer for this issue I have. In the meantime, can you take a quick look at this exert from the SC logs in our build pipeline. I have a feeling it’s being categorised as a test project, even though it doesn’t meet any of the criteria outlined in the aforementioned link.
2020-01-16T10:13:20.8246946Z INFO: Indexing files of module 'MyProject'
2020-01-16T10:13:20.8247952Z INFO: Base dir: D:\a\1\s\MyProject\MyProject
2020-01-16T10:13:20.8418677Z INFO: Test paths: App_Start/AuthenticationExtensions/IIdentityServerCertificatePr...
2020-01-16T10:13:20.8419325Z INFO: Excluded sources: **/bower_components/**/*, **/node_modules/**/*, **/Scripts/lib/**/*, **/bundle.js
2020-01-16T10:13:20.8419669Z INFO: Excluded sources for duplication: **/AssemblyInfo.cs
The only other projects in the scan to feature “Test paths” as part of the logs are our unit test projects. This one is the only non-test project like this. Other normal projects feature “Source paths: xxx” instead.
