False positive for indsecbugs-jsp:JSP_INCLUDE

SonarQube : 9.2.2


<jsp:include flush="false" page="/include/debut.inc.jsp">
	<jsp:param name="PAGE_TITLE" value="Au revoir" />

I have a report of “Dynamic JSP inclusion could lead to arbitrary code execution”
But the JSP inclusion is not dynamic if is statically /include/debut.inc.jsp !



You should report this FP to the FindBugs maintainers by raising an issue on that GitHub project.


As Ann said this rule is from the FindBugs plugin, actually this particular rule is from the Find Sec Bugs project

1 Like

I opened https://github.com/find-sec-bugs/find-sec-bugs/issues/673

1 Like