Hello, I found that the rule S4434 LDAPDeserializationCheck in sonar-java will miss some cases that need constant analysis or something similar.
For example:
returnObject = true;
SearchControls ctrl3 = new SearchControls(scope, countLimit, timeLimit, attributes, returnObject, deref); // Noncompliant {{Disable object deserialization.}}
I am not sure if SonarQube can support constant propagation analysis, but since it is related to a critical security problem, I think it can be refined to not just match the literal argument.
Moreover, I also think it is better for the rule to alarm on the following situation:
returnObject = config == none ? true: config;
SearchControls ctrl3 = new SearchControls(scope, countLimit, timeLimit, attributes, returnObject, deref); // Noncompliant {{Disable object deserialization.}}
It can be reproduced by adding the cases to
sonar-java/java-checks-test-sources/default/src/main/java/checks/security/LDAPDeserializationCheckSample.java
and run
cd java-checks && mvn test -Dtest=LDAPDeserializationCheckTest