A false negaitve about the rule RSPEC-6350

Hi, I found a false negative about the rule RSPEC-6350. Please read the following code example. SonarQube should have reported a warning in line 5 because input parameter is executed.

public void foo() {
    try {
        Scanner in = new Scanner(System.in);
        String input = in.next();
        String cmd[] =  new String[] { "/usr/bin/find", input};  // should report a warning here
        Runtime.getRuntime().exec(cmd);
    } catch (Exception e) {
        e.printStackTrace();
    }
}

SonarQube and Scanner version: Latest

Hello Belle,

Our taint-analysis to find injection vulnerabilities is mainly focused on web applications at the moment. In your example, the input is System.in which we consider trusted at the moment. If you change the code to use, for example, a GET parameter of a HTTP request instead, an issue should be raised.

In case you are using the Enterprise Edition of SonarQube you can define your own sources, so you could add System.in as a source there if this is something that you want.

1 Like