Detecting SQL injection in calls to custom libraries

Hi,

I have an internal Java library that provides some methods to help build SQL statements. The library is scanned with Sonar and built, and then used in a larger Java application which is itself scanned with Sonar.

I’m looking for a way to flag in the application that unvalidated input to some of the methods of this library should trigger either a vulnerability or a hotspot (RSPEC-2077 or RSPEC-3649, for example).

I’m a SonarCloud user, so I’m unable to write a custom plugin for this (if I understand correctly).

For example, in the sample below, imagine List<String> sort is a parameter received through a Spring REST controller endpoint:

        SelectStatement statement =
                sqlQueryService.statementBuilder(queryParams)
                        .selectFields(selectedFields)
                        .groupBy(FIELD)
                        .orderBy(!sort.isEmpty() ? sort : List.of(FIELD))
                        .build();

        var res = sqlQueryService.query(connection, statement);

… I’d like to flag the .orderBy()call with something like RSPEC-2077 or RSPEC-3649 if sort is unvalidated.

In my head, I’m imagining a @SqlUnsafe annotation I could put on the .orderBy() method parameter. I’m pretty certain nothing like this exists, but I’m curious how people deal with this sort of thing, particularly in SonarCloud where you can’t write custom rules.

Thanks,
Mike

Hi Mike,

I know you’re hoping for answers from other users, rather than any kind of official response. Hopefully that will come.

And I just want to point out that what you’re after is available in SonarQube Enterprise Edition($$).

 
HTH,
Ann

Thanks! Happy for answers anywhere they come, really. Official or unofficial. I did not know about Enterprise Edition, but it looks like it’s self-hosted maybe, as opposed to SonarCloud.

Hi,

Yes, you’re right. SonarQube is self-managed (currently…)

 
Ann