Unable to scan the vulnerability

SonarQube Server / Community Build
1

Hi Sonar Team,

I have successfully installed and configured the SonarQube(9.6.1) and sonar scanner(4.8.0). i have installed oracle JDK version(11.0.15).
I am using a postgres SQL as a database and version is 7.2

I have project code in my local machine and i am trying to scan , everything is working except vulnerability. vulnerability is not showing.

type of file in the project code for scan is

vb.net
java script
jquery
knockout js

To report vulnerability in SonarQube dashboard, i have hard coded some of the credentials but it is not reporting.

can any one guide me on the same so that i can make vulnerability report in SonarQube dashboard.

attached is the screen shot for reference

image
image1920×954 103 KB

2

Hey there.

Hi,

Your version is past EOL. You should upgrade to either the latest version or the current LTS at your earliest convenience. Your upgrade path is:

9.6 → 9.9.1 → 10.1 (last step optional)

You may find these resources helpful:

If you have questions about upgrading, feel free to open a new thread for that here.

And, if you still can’t raise the issue once upgraded, I suggest including a reproducible code snippet where you expect the issue to be raised.

3

Hi,
Hope doing good.
As guided I have upgraded the sonar scanner to 9.9.1 but still unable to see the vulnerability reported on sonar dashboard.
I have hard code the credentials as shown in first screen shot to report the vulnerability, still it is not reporting. below is the snippet for reference.
I tried by providing the SQL attack as shown in second screen shot then also it is not encountering.

image
image1425×493 50.6 KB

image
image1663×367 52.3 KB

requesting to guide me on the same.

Rgards,
Haseeb

4

Hey there.

For the SQL injection – if you’re running the Community Edition of SonarQube, you won’t be able to detect it. Detection of Injection vulnerabilities starts in SonarQube Developer Edition and higher (and on https://sonarcloud.io)

Regarding hardcoded credentials, is it possibly showing up under the Security Hotspots tab of your project?