Must-share information (formatted with Markdown):
- sonarqube-10.6.0.92116 windows-x86-64 (Community), sonar-scanner-cli-6.2.0.4584
- how is SonarQube deployed: zip
- what are you trying to achieve: I try to local scan a sample js file below with different issue .
const express = require('express');
const app = express();
const bodyParser = require('body-parser');
app.use(bodyParser.urlencoded({ extended: true }));
app.post('/sqlinjection', (req, res) => {
const userInput = req.body.userInput;
// Vulnerable to SQL Injection
const query = `SELECT * FROM users WHERE username = '${userInput}'`;
res.send(executeQuery(query));
});
app.post('/xss', (req, res) => {
const userInput = req.body.userInput;
// Vulnerable to XSS
res.send(`<h1>Hello ${userInput}</h1>`);
});
app.post('/insecure-crypto', (req, res) => {
const password = req.body.password;
// Uses insecure hashing algorithm
res.send(hashPassword(password));
});
function executeQuery(query) {
// Simulated database execution
return `Executed: ${query}`;
}
function hashPassword(password) {
// Insecure hashing (e.g., MD5)
return require('crypto').createHash('md5').update(password).digest('hex');
}
const PORT = process.env.PORT || 3000;
app.listen(PORT, () => {
console.log(`Server running on port ${PORT}`);
});
- what have you tried so far to achieve this: It cannot detect any Security issues. I expected that it can detect the SQL injection and XSS issues.
Thanks.