Why SonarQube doesn't spot some obvious vulnerabilities

openshift4 · October 6, 2022, 9:45am

Must-share information (formatted with Markdown):

which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
what are you trying to achieve
what have you tried so far to achieve this

Hi to everyone,

We are using SonarQube 8.9 LTS on OpenShift. It is working as expected.
For demonstration purposes, i wanted to create a vulnerable project and planting intentional vulnerabilities. I chose the vulnerabilities based on Quality Profiles (Java), which has 466 rules in which 41 are tagged as vulnerability. I selected weak hash algorithm rule from OWASP top 10 list. I attached the code where i place the piece of code. Nevertheless, SonarQube complains about everything but not the usage of MD5!! why?

These are the complaints from SonarQube :

Replace the synchronized class “StringBuffer” by an unsynchronized one such as “StringBuilder”.Why is this an issue?
Use String.format( “%02X”, …) instead.Why is this an issue?
Replace this use of System.out or System.err by a logger.Why is this an issue?

There is no alert, code smells, bug, vulnerability associated with the MD5 algorithm!!?

Why?

Thanks in advance for your assistance

Colin · October 6, 2022, 10:11am

Hey there.

S4790 is a Security Hotspot, which you’ll find in the Security Hotspots tab of your project.

openshift4 · October 6, 2022, 11:57am

Thanks for the reply.
I’m happy that it was recognized and spotted somewhere.
As a suggestion, I think the terms are pretty confusing and the differentiation between the issues and security hotspots tabs; could be an excruciating challenge for someone who is not familiar with either security or SonarQube’s wording.

system · October 13, 2022, 11:58am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.