Dynamic SQL in Java JDK 17 Multiline String is not detected

Hi,
when I scan the following code:

String q = """
UPDATE users SET is_active = true WHERE name='%s';
""".formatted(args[0]);
stmt.execute(q);

SonarCube does not find anything. But when I scan:

String q2 = "UPDATE users SET is_active = true WHERE name='" + args[0] + "';";
stmt.execute(q2);

I get the correct message: “Make sure using a dynamically formatted SQL query is safe here.”. Maybe I am doing something wrong, but it looks like the dynamic SQL is not dected in the multiline string.

Cheers
Thomas

Must-share information (formatted with Markdown):

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
    sonarqube-9.9.0.65466.zip

  • how is SonarQube deployed: zip, Docker, Helm
    ZIP

  • what are you trying to achieve
    Java Code Scan. Tried to detect dynamic SQL

  • what have you tried so far to achieve this
    See above

Do not share screenshots of logs – share the text itself (bonus points for being well-formatted)!

Hi Thomas, I tried to reproduce the issue and I think it’s not really about the multiline String, but more about the usage of methods like String.format and "some string".formatted() which are not taken in consideration by the analyzer right now. I have created this ticket to add support for these kind of methods when dealing with sensitive query strings.

Thanks for the report!

Thanks