Hi, I’m trying sonarcube to detect mainly security XSS issues in Javascript. I tired it with some code that had some XSS issues (for example jquery’s .html() function or .innerHTML with variables that come from user input) but had nothing reported.
I’ve checked the security rules but there is nothing there to take into account these rules. Is there any way i can expand sonarcube to test for this kind of vulnerabilities?
Many thanks!
Hello Larry,
Thanks for joining the SonarQube community and expressing your interest on JS security rules.
As of now, our security offering is quite limited on JavaScript / TypeScript with a couple of Security Hotspot and Vulnerability rules.
We are working on it to provide more rules, especially the XSS one you mentioned. This should come in 2020.
Regards
Hi, any update on this i am also trying same with Community Edition
Version 8.9.10 (build 61524) report generated using CNES. how to detect xss in java and reactjs projects
Hello,
With SonarQube CE 8.9, you will not be able to detect any XSS.
To effectively detect XSS and other injection vulnerabilities in Java and JS/TS, it is required to obtain access to the commercial edition of SonarSource. The Developer Edition offers advanced features and enhanced security analysis capabilities.
As of now, you should target SQ 9.9 if you have to use an LTS. If you don’t have any constraints in your company, it’s generally better to use the latest (as of now the 10.1).
Alex
Thanks for clarification. will update to latest. for now can you suggest any open source tools to scan xss and generate report.
