A false negaitve about the rule RSPEC-6350

Belle · April 28, 2022, 6:10am

Hi, I found a false negative about the rule RSPEC-6350. Please read the following code example. SonarQube should have reported a warning in line 5 because input parameter is executed.

public void foo() {
    try {
        Scanner in = new Scanner(System.in);
        String input = in.next();
        String cmd[] =  new String[] { "/usr/bin/find", input};  // should report a warning here
        Runtime.getRuntime().exec(cmd);
    } catch (Exception e) {
        e.printStackTrace();
    }
}

SonarQube and Scanner version: Latest

Hendrik_Buchwald · April 28, 2022, 7:31am

Hello Belle,

Our taint-analysis to find injection vulnerabilities is mainly focused on web applications at the moment. In your example, the input is System.in which we consider trusted at the moment. If you change the code to use, for example, a GET parameter of a HTTP request instead, an issue should be raised.

In case you are using the Enterprise Edition of SonarQube you can define your own sources, so you could add System.in as a source there if this is something that you want.

system · May 31, 2022, 3:24pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
A false negative about the rule RSPEC-3516 Report False-positive / False-negative... java , sonarqube , scanner	2	618	April 26, 2022
False Negative for rule RSPEC-2127 Report False-positive / False-negative... java , sonarqube , scanner	1	12	May 30, 2025
False Negative for rule RSPEC-6070 Report False-positive / False-negative... java , sonarqube , scanner	3	24	June 3, 2025
False negatives about the rule RSPEC 2692 Report False-positive / False-negative... java	2	498	May 12, 2022
False negaitve about the rule RSPEC-2658 Report False-positive / False-negative...	2	11	June 27, 2025

A false negaitve about the rule RSPEC-6350

Related topics