False positive for indsecbugs-jsp:JSP_INCLUDE

tbernard · February 3, 2022, 1:49pm

SonarQube : 9.2.2

with

<jsp:include flush="false" page="/include/debut.inc.jsp">
	<jsp:param name="PAGE_TITLE" value="Au revoir" />
</jsp:include>

I have a report of “Dynamic JSP inclusion could lead to arbitrary code execution”
But the JSP inclusion is not dynamic if is statically /include/debut.inc.jsp !

#bug:fp

ganncamp · February 3, 2022, 2:37pm

Hi,

You should report this FP to the FindBugs maintainers by raising an issue on that GitHub project.

Ann

gtoison · February 4, 2022, 3:54pm

Hello,
As Ann said this rule is from the FindBugs plugin, actually this particular rule is from the Find Sec Bugs project

tbernard · February 4, 2022, 4:08pm

I opened https://github.com/find-sec-bugs/find-sec-bugs/issues/673

Topic		Replies	Views
Issue with Findbugs Security JSP Qualityprofile SonarQube Server / Community Build sonarqube	1	1201	July 20, 2022
SSI includes is reported as comments Report False-positive / False-negative... html	2	952	December 16, 2019
Sonar custom rule SonarQube Server / Community Build custom_rules , findbugs	1	386	June 19, 2023
Issues with specific Findbugs rules are suddenly being detected SonarQube Server / Community Build findbugs	4	1004	July 28, 2021
SonarQube Docker ignores @SuppressWarnings SonarQube Server / Community Build java	5	2329	June 1, 2020

False positive for indsecbugs-jsp:JSP_INCLUDE

Related topics