False positive with java:S6856 when using regex to validate PathVariables

alec · February 14, 2024, 9:14am

Hi,

I just upgraded our SonarQube instance to 10.4 and a lot of false positives appeared when using regular expressions to validate @PathVariable formats like this :

@GetMapping("/something/{id:[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}}")
public String getObj(@PathVariable("id") UUID id){
  return "";
}

Which is being reported as “Bind path variable “12”, “4”, “8” to a method parameter.”.

The rule should ignore what’s after the first : until the corresponding closing } .

See examples patterns at Mapping Requests :: Spring Framework

Dorian_Burihabwa · February 15, 2024, 11:27am

Hey @alec
Thank you for the report and the compact example to reproduce the issue .
It looks indeed like we did not consider regular expressions (and their associated names) in the implementation.

I have created a ticket to track the issue.

Best,

Dorian