False Negative pattern not identified in javasecurity-rules

when you use java.util.Optional the taint analysis algorithm loses the taint information and therefor does not create an issue. Just compare these 2 XSS:

resp.getWriter().write(badValue); // detected by javasecurity:S5131
resp.getWriter().write(Optional.of(badValue).get()); // not detected javasecurity:S5131

below is an example file which also uses a Custom-Wrapper that gets recognized. It seems that only Optional causes a problem.

XssServlet.txt (970 Bytes)

I initially detected it with javasecurity:S3649 (sqli), but since xss is also affected, I guess all other security-rules are affected as well.
I don’t know which other languages supported by SonarQube Security Analyzer allow a similar pattern, but they might be affected as well.

our environment:
SonarQube Datacenter Edition 9.6.1
scan was done through the Maven Plugin, no special config, maven project only contains this single file.

Hello Roman,

Thanks a lot for this feedback, I tested it on SonarQube EE 9.7.1 and it is not detected. I’m going to create an internal ticket to handle that.

Have a good day!



1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.