Sonarqube version: 126.96.36.19901
Sonar scanner: sonar-scanner-msbuild-188.8.131.520-net46
SonarC#: 7.12 (build 8217)
I wanted to see Sonarqube detection capabilities on security side as a SAST. I installed Sonarqube 7.6 Developer edition with demo license.
And used Webgoat.net project that born to be vulnerable. It has many vulnerabilities like XSS, SQLi, RCE etc.
The result was worse than expected.
Hardcoded passwords, ReDos(Regex Dos) as blocker and also
Cookie with httponly flag and dangerous eval usage issues found.
Attached sonarway and issues file.
Is there something wrong for scanning, profiling?