Since we are using it for security vulnerabilities, is there any way to filter that part of the application? best i could find is to scan a project and then filter using the api, is that the only way?
Is there any way to scan a project without compiling\binaries? what happens if a project fails to compile?
It’s not clear what type of filtering you want to do. If you want to analyze only part of the project, you can do that with exclusions. If you want to analyze the whole project but only with Security rules, then just create a Quality Profile containing only those rules and assign the project to it.
Assuming we’re talking about Java, C, C++, Objective-C, or C#, no.
Then it’s not analyzable but that’s not such a crisis because it’s not deployable either.
I’m looking for something similar to Hp’s Fortify or Checkmarkx so only security rules, but as far as i’ve on a few “vulnerable” projects even with all the analyzers the quality of the findings is very poor to say the least and it doesn’t find actual issues like SQLI in the code even tho it’s vulnerable
Is this still an OWASP project or has it outgrown its original purpose and became a code quality tool?
We always welcome feedback from the community to improve our detection engine, if you can share the vulnerable code samples where SQ/SC is unable to find any issues we will look into that.
The rule RSPEC-2077 is a hotspot, it will raise whenever formatted queries are found (the goal is to lead you to the proper use of prepare statements which are good for security and performance).
If a SQL injection is found, the rule RSPEC-3649 (available starting SQ Commercial Edition) will be triggered.
Hi!
Sorry for recover such an old message.
But I’m having a hard time to understand which are the security issues supported by the commercial editions (DE or EE) and not supported by the community edition.
Could you please tell me where this information is available (or how to find out it)?
Thanks in advance