Hi, I found a false negative about the rule RSPEC-6350. Please read the following code example. SonarQube should have reported a warning in line 5 because input parameter is executed.
public void foo() {
try {
Scanner in = new Scanner(System.in);
String input = in.next();
String cmd[] = new String[] { "/usr/bin/find", input}; // should report a warning here
Runtime.getRuntime().exec(cmd);
} catch (Exception e) {
e.printStackTrace();
}
}
SonarQube and Scanner version: Latest