I have this code (I have creted this code only for test this problem):
public String eseguiQuery(Connection con, String nome, String cognome) throws SQLException { User user1 = new User(); user1.setNome(nome); user1.setCognome(cognome); Statement stmt1 = null; Statement stmt2 = null; PreparedStatement pstmt; stmt2 = con.createStatement(); ResultSet rs11 = stmt2.executeQuery("select UTENTE " + "from USERS where NOME=" + nome); ResultSet rs2 = stmt2.executeQuery("select UTENTE " + "from USERS where NOME=" + user1.getNome()); return "OK"; } the first executeQuery is recognise as a SQL Injection but in the second the SQL Injection is not recognised why? Is it a bug? Thank you. (SonarQube version 5.1 Java plugin 3.2) |
Hi, This is an expected behaviour as, given the current state of the java analyzer (no cross file nor cross method analysis), we have no way to determine that the getNome() method is simple getter or is doing some logic to escape the string (and/or that it relates to the setNome method). So in order to avoid false positive we avoid raising issues when we cannot say anything like when the value is returned from a method. This lead to some limitation of the rule that will detect only the most obvious cases but avoid too much false positive. Cheers, 2015-05-11 15:24 GMT+02:00 mnelli <[hidden email]>: I have this code (I have creted this code only for test this problem): |
In reply to this post by mnelli
Hello mneli, This is actually not a bug. In your second situation, we can not tell if the result value of your method invocation is actually sanitized or not. Because of that uncertainty, and to not raise loads of false-positives, we simply do not raise any issue when using method invocations to build statements. Regards, On 11 May 2015 at 15:24, mnelli <[hidden email]> wrote: I have this code (I have creted this code only for test this problem): |
Thank you, but in this case I think that it would be better have a "false-positive" instead of no alert.
in fact in this case I don't find the real SQL injection that really exist (in this case) . Is very probably that I pass a parameter in a SQL string directly from a method and I think that it would be better that this fact would be reported For example this extra-PMD security rule (with PMD, not SONAR) recognise this: https://github.com/GDSSecurity/GDS-PMD-Security-Rules So, is there a way to add these rule to SONAR? Thank you! |
Free forum by Nabble | Edit this page |