We’re using SonarCloud and from reason I can’t understand the default profile (Sonar way) still holds squid:S2077 activated although it’s deprecated and actually detecting false positives (not always but on various occasions).
I can give a false positive example but since its already deprecated I believe the right thing to do it to remove it from SonarWay…
Note this is an OWASP-A1 & SANS top 25 vulnerability rule so the implications are severe from status perspective…
Ok, is there an ETA? will it be released in the next month or so?
Meanwhile what could be the best workaround? I can create a custom quality profile based on the Sonar way and deactivate this rule, but then what will happen when the next release of the Java agent will be published? Will my profile be updated with the new rule changes, or will I need to somehow know about the new release and update my profile (or revert back to the Sonar way) in order to get those new rules?
Thank you for your patience. As of SonarJava 5.9, which was released two weeks ago, rule S2077’s type changed from “Vulnerability” to “Security Hotspot”. The deprecation has been removed.
Security Hotspot rules raise issues on security-sensitive code which needs to be reviewed. The goal of these rules is not to pinpoint real vulnerabilities, but instead to guide security auditors during their code review, thus simplifying their work. Security Hotspot issues do not count in the Quality Gate.
The rule S3649 replaces S2077 as “Vulnerability rule”. It uses SonarQube’s taint analysis engine which creates less false positives and explains where the injection comes from. However, just as any other taint analysis engine, it cannot detect every possible injection. Only a “manual secure code review” (see OWASP doc) can do it, which is why we added the concept of Security Hotspots.
Yes, or more specifically in all cases where a rule is marked as deprecated or you know a better one to migrate to. I guess that seems most often be in the context of the commercial editions, so its also a form of advertisement.
Yes, at least on Version 7.2.1 for Java, havent tried newer versions yet. Its welcome if you split the discussion off.