Scanner deep-dive

SonarQube by SonarSource ↗

Rule-Based SAST · community · scored on 26/26 repositories. Strict scoring (unfinished repos counted as misses).

6.9

F3 (strict)

7.7

F2 (strict)

6.3%

Recall (strict)

61.1%

Precision

26/26

Repos scored

—

Model

Free

Total cost

—

Avg latency

Per-repository breakdown

Each bar shows true positives, false positives, and misses on one repository; bar length is proportional to that repo's labeled vulnerabilities. Ranked by F2.

True positiveFalse positiveMissed (FN)

lets-be-bad-guys38 F2 · 33%

insecure-web38 F2 · 33%

python-app23 F2 · 20%

vulnerable-python-apps20 F2 · 18%

pygoat17 F2 · 14%

extremely-vulnerable-flask-app15 F2 · 12%

vulpy10 F2 · 9%

vulnpy8 F2 · 6%

damn-vulnerable-flask-application0 F2 · 0%

damn-vulnerable-graphql-application0 F2 · 0%

djangoat0 F2 · 0%

dsvpwa0 F2 · 0%

dsvw0 F2 · 0%

dvblab0 F2 · 0%

dvpwa0 F2 · 0%

flask-xss0 F2 · 0%

intentionally-vulnerable-python-application0 F2 · 0%

owasp-web-playground0 F2 · 0%

python-insecure-app0 F2 · 0%

pythonssti0 F2 · 0%

threatbyte0 F2 · 0%

vampi0 F2 · 0%

vfapi0 F2 · 0%

vulnerable-api0 F2 · 0%

vulnerable-flask-app0 F2 · 0%

vulnerable-tornado-app0 F2 · 0%

Repository	TP	FP	FN	Recall %	F2
lets-be-bad-guys	8	1	16	33.3	38.1
insecure-web	3	1	6	33.3	37.5
python-app	4	3	16	20.0	23.0
vulnerable-python-apps	4	6	18	18.2	20.4
pygoat	11	11	66	14.3	16.7
extremely-vulnerable-flask-app	4	2	28	12.5	14.9
vulpy	5	4	52	8.8	10.5
vulnpy	5	0	73	6.4	7.9
damn-vulnerable-flask-application	0	0	15	0.0	0.0
damn-vulnerable-graphql-application	0	0	36	0.0	0.0
djangoat	0	0	50	0.0	0.0
dsvpwa	0	0	32	0.0	0.0
dsvw	0	0	27	0.0	0.0
dvblab	0	0	22	0.0	0.0
dvpwa	0	0	22	0.0	0.0
flask-xss	0	0	30	0.0	0.0
intentionally-vulnerable-python-application	0	0	7	0.0	0.0
owasp-web-playground	0	0	28	0.0	0.0
python-insecure-app	0	0	8	0.0	0.0
pythonssti	0	0	2	0.0	0.0
threatbyte	0	0	26	0.0	0.0
vampi	0	0	15	0.0	0.0
vfapi	0	0	9	0.0	0.0
vulnerable-api	0	0	14	0.0	0.0
vulnerable-flask-app	0	0	21	0.0	0.0
vulnerable-tornado-app	0	0	14	0.0	0.0

Detection by severity

Severity	TP	FP	FN	Recall %
Critical	10	0	76	11.6
High	14	0	250	5.3
Medium	20	1	259	7.2
Low	0	0	68	0.0

Detection by vulnerability class

CWE family	TP	FP	FN	Recall %
Code Injection / RFI	4	0	10	28.6
Hardcoded Credentials	14	1	47	23.0
Path Traversal	5	0	21	19.2
Command / OS Injection	3	0	14	17.6
Open Redirect	1	0	5	16.7
XML External Entities	1	0	7	12.5
Cross-Site Scripting	10	0	72	12.2
Insecure Deserialization	2	0	17	10.5
Server-Side Request Forgery	2	0	22	8.3
SQL Injection	1	0	46	2.1
Other	1	0	205	0.5
Missing Authentication / Authorization	0	0	47	0.0
Broken Access Control / IDOR	0	0	24	0.0
Denial of Service	0	0	20	0.0
Security Misconfiguration	0	0	33	0.0
Sensitive Data Exposure	0	0	57	0.0
HTTP Header Injection	0	0	2	0.0
XPath Injection	0	0	4	0.0

Cost

Free

Total cost

Python LOC scanned

Successful runs

← Back to the leaderboard