This example demonstrates:
- Vulnerabilities
- Security Hotspots
It also demonstrates the possibility to define your own custom sources, sanitizers and sinks to detect more injection cases (or avoid false positives)
Run ./run.sh
This will:
- Delete the project key training:security if it exists in SonarQube (to start from a scratch)
- Run
mvn clean verify sonar:sonarto re-create the project
Project consists of a single class (training.security.Insecure.java) with a number of Vulnerabilities and Security Hotspots.
At the bottom of the class you see a bunch of methods that demonstrate custom injections.
- The method without sanitization (
doSomething()) has an injection vulnerability - The method with custom sanitization (
doSomethingSanitized()) has no vulnerability
The custom security configuration file is in the root directory here