SonarLint missing PHP exec() security vulnerability (command injection)

Please provide

  • Operating system: MacOS Monterey
  • IDE name and flavor/env: VSCode
Version: 1.67.1 (Universal)
Commit: da15b6fd3ef856477bf6f4fb29ba1b7af717770d
Date: 2022-05-06T12:37:16.526Z (6 days ago)
Electron: 17.4.1
Chromium: 98.0.4758.141
Node.js: 16.13.0
V8: 9.8.177.13-electron.0
OS: Darwin x64 21.4.0
  • SonarLint plugin version: 3.4.2
  • Is connected mode used: Yes
    • Connected to SonarCloud

And a thorough description of the problem / question:

I just tried to test finding a vulnerability in my code by adding a very clear/explicit vulnerability:

exec($_GET['command']);

SonarLint didn’t find it. I waited 15 minutes after saving to see if it was just a time issue.

I tried semgrep which found and reported the issue nearly immediately in VSCode.

Any idea why SonarLint isn’t catching it?

Hey there.

See this:

Thank you!

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.