False positive with java:S6856 when using regex to validate PathVariables


I just upgraded our SonarQube instance to 10.4 and a lot of false positives appeared when using regular expressions to validate @PathVariable formats like this :

public String getObj(@PathVariable("id") UUID id){
  return "";

Which is being reported as “Bind path variable “12”, “4”, “8” to a method parameter.”.

The rule should ignore what’s after the first : until the corresponding closing } .

See examples patterns at Mapping Requests :: Spring Framework

Hey @alec
Thank you for the report and the compact example to reproduce the issue :pray:.
It looks indeed like we did not consider regular expressions (and their associated names) in the implementation.

I have created a ticket to track the issue.