I use “Enterprise Edition 10.7” and try to make this data structure “parametersMap.put(“doc_letter”, letter);” Don’t scan yourself as if you were vulnerable.
Apply what Sonnar recommends (sanity parameter)“data = data.replaceAll(”[\n\r]“, “_”);” , but this problem is still detected.
Are there any additional recommendations to review?
thank you!
Hi,
Could you provide a screenshot that shows the suggested fix being applied and the issue still being raised?
Thx,
Ann
Ann! Thank you! Below I will send you a print of the issue and Sonar’s recommendation.
Issue:
I would also like to clarify that the problem only occurs with the variable ‘dataletter’ (string) because other variables of the same type do not cause the problem.
Sonar´s suggest:
Thanks!
Hi,
Thanks for the screenshots. Unfortunately, since they’re slices out of the full picture, they’re a little difficult for me to follow.
Could you provide a full reproducer code snippet?
Thx,
Ann
Ok,
Here I give you the code fragment
public String getNroSerieNCobra(Integer companyId, String posId, String letter, String documentNumber, LocalDate documentDate) throws ClaroPackageFunctionException {
String dataLetter = letter;
if(dataLetter != null) {
dataLetter = dataLetter.replaceAll("[\n\r]", "_");
log.info("Invocando [{}] con parametros: companyId[{}] posId[{}] letter[{}] documentNumber[{}] documentDate[{}]",
BUSCO_NRO_SERIE_NCOBRA, companyId, posId, dataLetter, documentNumber, documentDate);
}
final SimpleJdbcCall jdbcCall = new SimpleJdbcCall(jdbcTemplate)
.withoutProcedureColumnMetaDataAccess()
.withSchemaName(schema)
.withCatalogName(PKG)
.withFunctionName(BUSCO_NRO_SERIE_NCOBRA);
jdbcCall.addDeclaredParameter(new SqlOutParameter("v_serie", Types.VARCHAR));
jdbcCall.addDeclaredParameter(new SqlParameter("doc_cmp_id", Types.NUMERIC));
jdbcCall.addDeclaredParameter(new SqlParameter("doc_pos_id", Types.VARCHAR));
jdbcCall.addDeclaredParameter(new SqlParameter("doc_letter", Types.VARCHAR));
jdbcCall.addDeclaredParameter(new SqlParameter("nro_doc_id", Types.VARCHAR));
jdbcCall.addDeclaredParameter(new SqlParameter("doc_document_date", Types.DATE));
jdbcCall.addDeclaredParameter(new SqlInOutParameter(P_ERROR, Types.NUMERIC));
Map<String, Object> parametersMap = new HashMap<>();
parametersMap.put("doc_cmp_id", companyId);
parametersMap.put("doc_pos_id", posId);
parametersMap.put("doc_letter", dataLetter);
parametersMap.put("nro_doc_id", documentNumber);
parametersMap.put("doc_document_date", documentDate);
parametersMap.put("v_error", null);
Map<String, Object> result = jdbcCall.execute(parametersMap);
These are the items of the issue to associate with the previous prints and which refers to the variable letter
1 Like
Hi,
Thanks for the code. I’ve flagged this for the experts.
Ann
Hello @Ricardo_Emilio_Borto,
Thanks for reporting this and for the reproducer, I am 90% sure this is a false positive on our side.
I think this is likely due to a problem in our support of org.springframework.jdbc.core.simple.SimpleJdbcCall#execute(java.util.Map).
For now, you can set this as a false positive in your code, and I will internally investigate this problem.
Have a nice day!
Loris
1 Like