Error in tainted data analyze

On java 11 with sonarQube * Enterprise Edition * Version 8.9.6 (build 50800)
I got a trouble with the rule Change this code to not log user-controlled data wich mean I have to sanitize the code to avoid \n\r\t injection.

In my controller I receive a POJO DocumentDto. In my mapper I change it to an entity element Document. During the maping I made two manipulation :

  1. If a property got a string value with juste a space or noting I change it to null
  2. If the string is fill I replace \n\r\t by underscore
    After that I display in my log the value of the object.

Sonar still think the data are tainted. He show me this :

    public ResponseEntity<DocumentDto> addDocument(@Valid @RequestBody 
 1 DocumentDto documentDto) {
        var document = DocumentMapper.mapperDocumentDtoToDocument(documentDto);

the point 1 say → data tainted and I’m ok with that

then in my mapper :

 public static DocumentContrat mapperDocumentContratDtoToDocumentContrat(DocumentContratDto input) {
       3 var output = 2 new DocumentContrat();

the 2 and 3 point say → data tainted propagation, I’m NOT ok with that, the object is new, the data are empty

then in the controller for him the data are still tainted:

      5 var document =  4 DocumentMapper.mapperDocumentDtoToDocument(documentDto);  
        // some tests about data validity, you can see them in the complete code below
        6"add documentContrat :\n{}", documentContrat);

the 4 and 5 point say → data tainted propagation
the 6 say Change this code to not log user-controlled data

For me he should’nt consider that
var output = new DocumentContrat()
propagate the tainted value. It’s a new Object !
He could say that filling value could propagate the tainted value :


but if he analize this line he’ll find that getStringValueOrNullFromString sanitize the data.

public static String getStringValueOrNullFromString(String input) {
        return (input==null || input.isEmpty())? null:input.replaceAll("[\n\r\t]", "_");

So for me it’s a false positive.

Here the complete code :

public ResponseEntity<DocumentDto> addDocument(@Valid @RequestBody DocumentDto documentDto) {

        var document = DocumentMapper.mapperDocumentDtoToDocument(documentDto);  
        if (document.getDocumentId() != null) {
            return new ResponseEntity<>(HttpStatus.FORBIDDEN);
        var documentDuplicates = new DocumentContrat();
        boolean hasNoDuplicates = this.documentContratService.searchDocument(documentDuplicates).isEmpty();
        if (!hasNoDuplicates) {
            return new ResponseEntity<>(HttpStatus.CONFLICT);
       "add document :\n{}", document);
        var documentUpdated = this.documentService.addDocument(document);
        return new ResponseEntity<>(DocumentMapper.mapperDocumentToDocumentDto(documentUpdated), HttpStatus.OK);
 public static Document mapperDocumentDtoToDocument(DocumentDto input) {
         var output = new Document();
         return output;
 public static String getStringValueOrNullFromString(String input) {
         return (input==null || input.isEmpty())? null:input.replaceAll("[\n\r\t]", "_");

Hey there.

Thanks for the feedback! Let me suggest that you take a look at this thread:

We’re missing some important pieces of information: like what product(s) you’re using, what versions, and a properly commented code snippet (right now yours is spread across multiple quote blocks).

Could you please update your opening post?

Done. Hope is more clear now

Hello @Hellric and welcome to the community!

The SonarQube version you are using is very old. I know it is the current LTS but it still does not contain all the improvements that we have added to the taint analyzer (and all the other analyzers) in the last 1 1/2 years. Unfortunately, I can not run your code as I am missing all the other code of the project, but it is likely that the issue is not reported like this anymore.
The next LTS version will be released in about 1 1/2 months as far as I am aware. So I would recommend either waiting for this release or giving it a try with the latest non-LTS version. Thanks!