Skip to content

Latest commit

 

History

History
 
 

security

Security

Use case

This example demonstrates:

  • Vulnerabilities
  • Security Hotspots

It also demonstrates the possibility to define your own custom sources, sanitizers and sinks to detect more injection cases (or avoid false positives)

Usage

Run ./run.sh

This will:

  • Delete the project key training:security if it exists in SonarQube (to start from a scratch)
  • Run mvn clean verify sonar:sonar to re-create the project

Project consists of a single class (training.security.Insecure.java) with a number of Vulnerabilities and Security Hotspots.

Custom security configuration

At the bottom of the class you see a bunch of methods that demonstrate custom injections.

  • The method without sanitization (doSomething()) has an injection vulnerability
  • The method with custom sanitization (doSomethingSanitized()) has no vulnerability

The custom security configuration file is in the root directory here