- SonarCloud : current
- Maven Sonar plugin : latest
Sonar marks a logging statement with vulnerability javasecurity:S5145 (Logging should not be vulnerable to injection attacks) but input is either validated or cannot be invalid.
From the location of the logging statement, the argument is tracked back all the way from a processor class to the Spring MVC Controller where the input originates.
However, the vulnerability is on a request parameter which has an Enum type. Spring MVC automatically converts the String input to a valid enum instance, so it is not possible for this request parameter to have an unknown, or invalid, value.
Also, JSR303 annotations to validate the input seem also not taken into account. I specifically created a custom annotation to validate an input string cannot have any line breaks (\n, \r, \t).
I can image the analyser could not validate this code, but it is also not possible to somehow ‘untaint’ a value.
Annotating the MVC method with @SuppressWarnings(“javasecurity:S5145”) also still gives the same vulnerability in the processor class.
Lastly, I was also not able to mark this vulnerability as ‘resolve as false positive’ but maybe that’s a authorization issue in our SonarCloud setup.