Hi,
when I scan the following code:
String q = """
UPDATE users SET is_active = true WHERE name='%s';
""".formatted(args[0]);
stmt.execute(q);
SonarCube does not find anything. But when I scan:
String q2 = "UPDATE users SET is_active = true WHERE name='" + args[0] + "';";
stmt.execute(q2);
I get the correct message: “Make sure using a dynamically formatted SQL query is safe here.”. Maybe I am doing something wrong, but it looks like the dynamic SQL is not dected in the multiline string.
Cheers
Thomas
Must-share information (formatted with Markdown):
-
which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
sonarqube-9.9.0.65466.zip -
how is SonarQube deployed: zip, Docker, Helm
ZIP -
what are you trying to achieve
Java Code Scan. Tried to detect dynamic SQL -
what have you tried so far to achieve this
See above
Do not share screenshots of logs – share the text itself (bonus points for being well-formatted)!