which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
Not very sure at the moment. I will add it when I figure it out.
what are you trying to achieve
I managed the security program at CRD. I am trying to check how SonarQube performs on finding vulnerabilities. WebGoat is a known vulnerable components. We did a scan in house, but find some type of vulnerabilities are missing, including XSS and file and path manipulation, etc. I am wondering if the tool does not perform well on those type of vulnerabilities or we did not configure the tool correctly. I hope you can do a scan and send me the report with notes on what you’ve changed on top of default configuration.
what have you tried so far to achieve this
See above note.
You can find the version of SonarQube at the bottom of the SonarQube UI in the footer section. Please provide that version so that we have better context.
Can you provide the exact WebGoat repository you are attempting to use? There are several things to note when scanning: active rules in the quality profile, improperly configured scanner, etc.
Please attach the debug-level logs of your scan by appending -X if it’s a Maven project or if you are using the sonar-scanner CLI or by appending -d if it’s a Gradle project. If it’s a .NET project, add /d:“sonar.verbose=true” to the BEGIN step with Sonar Scanner for .NET/MSBuild.
If you don’t feel comfortable sharing it, then you can private message me like so:
Thanks for your patience. I took some time to run this project and play with it as well as analyzing it myself. There is no need to change the default configuration.