Dynamic SQL in Java JDK 17 Multiline String is not detected

thomasub · May 4, 2023, 7:57pm

Hi,
when I scan the following code:

String q = """
UPDATE users SET is_active = true WHERE name='%s';
""".formatted(args[0]);
stmt.execute(q);

SonarCube does not find anything. But when I scan:

String q2 = "UPDATE users SET is_active = true WHERE name='" + args[0] + "';";
stmt.execute(q2);

I get the correct message: “Make sure using a dynamically formatted SQL query is safe here.”. Maybe I am doing something wrong, but it looks like the dynamic SQL is not dected in the multiline string.

Cheers
Thomas

Must-share information (formatted with Markdown):

which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
sonarqube-9.9.0.65466.zip
how is SonarQube deployed: zip, Docker, Helm
ZIP
what are you trying to achieve
Java Code Scan. Tried to detect dynamic SQL
what have you tried so far to achieve this
See above

Do not share screenshots of logs – share the text itself (bonus points for being well-formatted)!

Leonardo_Pilastri · May 8, 2023, 9:58am

Hi Thomas, I tried to reproduce the issue and I think it’s not really about the multiline String, but more about the usage of methods like String.format and "some string".formatted() which are not taken in consideration by the analyzer right now. I have created this ticket to add support for these kind of methods when dealing with sensitive query strings.

Thanks for the report!

thomasub · May 8, 2023, 10:17am

Thanks