diff --git a/sonar-java-plugin/src/main/resources/static/documentation.md b/sonar-java-plugin/src/main/resources/static/documentation.md index cf563c6a568..cd1f4fe5528 100644 --- a/sonar-java-plugin/src/main/resources/static/documentation.md +++ b/sonar-java-plugin/src/main/resources/static/documentation.md @@ -56,6 +56,27 @@ Example: `sonar.java.source=1.6` If the property is provided, the analysis will take the source version into account, and execute related rules accordingly. At run time, each of these rules will be executed – or not – depending of the Java version used by sources within the project. For instance, on a correctly configured project built with Java 6, rules targeting Java 7 and Java 8 will never raise issues, even though they are enabled in the associated rule profile. +## Analysing JSP and Thymeleaf for XSS vulnerabilities + +In SonarQube Developer and Enterprise editions and on SonarCloud you can benefit from advanced security rules including XSS vulnerability detection. Java analyzer supports analysis of Thymeleaf and JSP views when used with Java Servlets or Spring. To benefit from this analysis you need to make your views part of the project sources using `sonar.sources` property. In practice this usually means adding the following in your Maven `pom.xml` file + +```xml + + src/main/java,src/main/webapp + +``` + +or if you use Gradle +```groovy + sonarqube { + properties { + property "sonar.sources", "src/main/java,src/main/webapp" + } + } +``` + +where `src/main/webapp` is the directory which contains `.jsp` or Thymeleaf's `.html` files. + ## Related Pages * [Test Coverage & Execution](/analysis/coverage/) (JaCoCo, Surefire)