Why SonarQube doesn't spot some obvious vulnerabilities

Must-share information (formatted with Markdown):

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
  • what are you trying to achieve
  • what have you tried so far to achieve this

Hi to everyone,

We are using SonarQube 8.9 LTS on OpenShift. It is working as expected.
For demonstration purposes, i wanted to create a vulnerable project and planting intentional vulnerabilities. I chose the vulnerabilities based on Quality Profiles (Java), which has 466 rules in which 41 are tagged as vulnerability. I selected weak hash algorithm rule from OWASP top 10 list. I attached the code where i place the piece of code. Nevertheless, SonarQube complains about everything but not the usage of MD5!! why?

These are the complaints from SonarQube :

  1. Replace the synchronized class “StringBuffer” by an unsynchronized one such as “StringBuilder”.Why is this an issue?

  2. Use String.format( “%02X”, …) instead.Why is this an issue?

  3. Replace this use of System.out or System.err by a logger.Why is this an issue?

There is no alert, code smells, bug, vulnerability associated with the MD5 algorithm!!?


Thanks in advance for your assistance

Hey there.

S4790 is a Security Hotspot, which you’ll find in the Security Hotspots tab of your project.

Thanks for the reply.
I’m happy that it was recognized and spotted somewhere.
As a suggestion, I think the terms are pretty confusing and the differentiation between the issues and security hotspots tabs; could be an excruciating challenge for someone who is not familiar with either security or SonarQube’s wording.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.