Trying to use SonarQube to detect XSS vulnerabilities in JS

Hi, I’m trying sonarcube to detect mainly security XSS issues in Javascript. I tired it with some code that had some XSS issues (for example jquery’s .html() function or .innerHTML with variables that come from user input) but had nothing reported.

I’ve checked the security rules but there is nothing there to take into account these rules. Is there any way i can expand sonarcube to test for this kind of vulnerabilities?

Many thanks!

Hello Larry,

Thanks for joining the SonarQube community and expressing your interest on JS security rules.

As of now, our security offering is quite limited on JavaScript / TypeScript with a couple of Security Hotspot and Vulnerability rules.
We are working on it to provide more rules, especially the XSS one you mentioned. This should come in 2020.

Regards