We want to see a SonarQube scan report for WebGoat project

Must-share information (formatted with Markdown):

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
    Not very sure at the moment. I will add it when I figure it out.

  • what are you trying to achieve
    I managed the security program at CRD. I am trying to check how SonarQube performs on finding vulnerabilities. WebGoat is a known vulnerable components. We did a scan in house, but find some type of vulnerabilities are missing, including XSS and file and path manipulation, etc. I am wondering if the tool does not perform well on those type of vulnerabilities or we did not configure the tool correctly. I hope you can do a scan and send me the report with notes on what you’ve changed on top of default configuration.

  • what have you tried so far to achieve this
    See above note.

Hi @janewang ,

Welcome to SonarSource community! :sonarsource:

You can find the version of SonarQube at the bottom of the SonarQube UI in the footer section. Please provide that version so that we have better context.

Can you provide the exact WebGoat repository you are attempting to use? There are several things to note when scanning: active rules in the quality profile, improperly configured scanner, etc.

Please attach the debug-level logs of your scan by appending -X if it’s a Maven project or if you are using the sonar-scanner CLI or by appending -d if it’s a Gradle project. If it’s a .NET project, add /d:“sonar.verbose=true” to the BEGIN step with Sonar Scanner for .NET/MSBuild.

If you don’t feel comfortable sharing it, then you can private message me like so:


1 Like

Here is the github link that we used to test scan.

SonarQube Enterprise Edition Version 8.5.1 (build 38104)
SonarScanner for Maven 3.8

Hi @janewang ,

Thanks for your patience. I took some time to run this project and play with it as well as analyzing it myself. There is no need to change the default configuration.

Here is my scan of it on SonarCloud, which should be similar to your SonarQube scan: https://sonarcloud.io/dashboard?id=joetingsanchali_webgoat

And here are my results, which are similar to what you saw based on the SonarSource security category where 26 total vulnerabilities were detected:

Vulnerability Count + Rule
SQL Injection 12x javasecurity:S3649
Others 5x java:S1989, 2x java:S4684
Path Traversal Injection 3x javasecurity:S2083
Weak Cryptography 2x java:S5344
Object Injection 1x javasecurity:S5135
XML External Entity (XXE) 1x java:2755

Can you explain which vulnerability was not detected (vulnerability type, file location, etc.)?

You can use our rules repository to see which ones you wanted to see also: https://rules.sonarsource.com/java/type/Vulnerability


1 Like