Alexandre Gigleux
Alexandre Gigleux
Just to say it, at SonarSource, we are really interested to see OpenSSF CVE Benchmark supporting Java, C#, PHP, Python and C. I'm sure we can contribute some CVEs but...
> Would it be possible for you to easily try such Java benchmark entries on your internal SonarSource driver and report back about general issues? Yes, I will be able...
I'm ready to allocate time to test the Java part whenever you are. Just ping me here and I'll work on it.
@esbena All good on my side.
I have a concern related to MSR2019 dataset. I'm not sure this is a good dataset to support first, for the first support of Java in ossf-cve-benchmark. While I think...
Given the quantity of vulnerabilities demonstrated (ie. less than 100), I'm not sure it's required to build an automated solution to generated the issues that should be detected automatically by...
Hello, I think it's important to get the exact line number where the vulnerability can be exploited to measure how precise is the SAST tool. Overall, I wonder if this...
For SonarQube or SonarCloud, the line number will be at the line containing `process.exec(` (ie: at the location of the "sink").
Even if I doubt that such code will exist in real life, I would expect the issue to be raised on the `exec`'s line.
I think you should wait for https://jira.sonarsource.com/browse/MMF-1700 to be implemented before trying to scan VulnerableApp with SonarQube/SonarCloud. VulnerableApp is relying a lot on lambda expressions and our security engine doesn't...