False positive for indsecbugs-jsp:JSP_INCLUDE

tbernard · February 3, 2022, 1:49pm

SonarQube : 9.2.2

with

<jsp:include flush="false" page="/include/debut.inc.jsp">
	<jsp:param name="PAGE_TITLE" value="Au revoir" />
</jsp:include>

I have a report of “Dynamic JSP inclusion could lead to arbitrary code execution”
But the JSP inclusion is not dynamic if is statically /include/debut.inc.jsp !

#bug:fp

ganncamp · February 3, 2022, 2:37pm

Hi,

You should report this FP to the FindBugs maintainers by raising an issue on that GitHub project.

Ann

gtoison · February 4, 2022, 3:54pm

Hello,
As Ann said this rule is from the FindBugs plugin, actually this particular rule is from the Find Sec Bugs project

tbernard · February 4, 2022, 4:08pm

I opened https://github.com/find-sec-bugs/find-sec-bugs/issues/673