SonarQube NestJS + Prisma ORM

Imra_Kocis · June 18, 2024, 5:12pm

Hi everybody,

I’m working on simple CRUD application for educational purposes, more precisely university project. One of many topics is scanning code with SonarQube.

What am I using:

sonarqube Docker image, tag latest
NestJS, version 10.0.0
Primsa ORM with Postgres, Prisma version 5.15.0
typescript, version: 5.1.3

Other maybe relevant things:

Node v21.6.0
yarn package manager
win 11 x64

Since topic is secure codding, I’ve tried to test sonar, and I’ve tried to trigger security check for SQL injection that i have in code, but it’s not detected, and that part is marked with uncovered code.

Command for running analysis:

sonar-scanner.bat -D"sonar.projectKey=tanks-api" -D"sonar.sources=." -D"sonar.javascript.lcov.reportPaths=../coverage/lcov.info" -D"sonar.inclusions=src/**/*.ts" -D"sonar.host.url=http://localhost:9000" -D"sonar.token={my-token}"

Code in service.ts where SQL injection is:

Some basic are detected like commented code, API secretes like hardcoded api-keys, unused imported functions. But any NestJs code or Prisma code is not covered by sonar.

Also since I’m using WebStorm I’ve installed SonarLint, having same results.

For any additional info fell free to ping me.

I have scraped google searching for solution but i can’t find any so i think this is my only option left.

ganncamp · June 19, 2024, 1:04pm

Hi,

I’m assuming you’re running Community Edition (CE)? If you’re not sure, check your page footer.

Taint analysis rules, such as the one to detect SQL injection, aren’t available in CE. That starts at Developer Edition($). Or you could jump to SonarCloud, which is free for OSS projects, and which includes all rules even for the free tier.

Taint analysis rules are also not run in SonarLint, but for a different reason: they require cross-file analysis and would drag down performance, so they’re only run in a full analysis. In SonarLint’s connected mode you can synch those issues from the server, however.

Yes, your academic topic is analysis with SonarQube, but both run the same analyzers under the hood.

BTW, the uncovered code marker is a red herring here. It simply means you didn’t pass a test coverage report into analysis that indicated the line had been exercised during (unit) testing.

HTH,
Ann

Imra_Kocis · June 19, 2024, 5:09pm

Thank you so much for replay, and clarification. I will try to use SonarCloud than .

Have a great day

Imra

Topic		Replies	Views
Developer edition not picking up SQL injections SonarQube Server / Community Build plsql , sonarqube , security	6	65	September 18, 2024
Code coverage report not showing up for javascript/typescript app SonarQube Cloud sonarqube , coverage , sonarqube-cloud	17	34	February 18, 2025
SonarCloud just started to ignore TS code SonarQube Cloud sonarts , sonarjs , sonarqube-cloud	12	1509	January 15, 2020
No OWASP vulnerabilities in my project SonarQube Server / Community Build csharp	5	1869	July 26, 2021
Sonarqube not detecting SQL injection in Java code SonarQube Server / Community Build	2	1132	March 25, 2021

SonarQube NestJS + Prisma ORM

Related topics