Getting an exception to a Sonar raised vulnerability which remains after applying a possible fix (javasecurity:S5167)

Rules and Languages Report False-positive / False-negative...
,
1

Version used:
SonarQube: 8.6.1.40680,
Scanner: 3.0 (Gradle plugin)

package com.xx.customer_mapping.filter;

import com.sysco.customer_mapping.util.Constants;
import org.slf4j.MDC;
import org.springframework.stereotype.Component;
import org.springframework.util.StringUtils;

import javax.servlet.*;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.UUID;

@Component
@WebFilter("/*")
public class StatsFilter implements Filter {

   private static final String CORRELATION_ID_HEADER_NAME = "Syy-Correlation-Id";

    @Override
    public void init(FilterConfig filterConfig) {
        // empty
    }

    @Override
    public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain) throws IOException, ServletException {

        final HttpServletRequest request = (HttpServletRequest) req;
        final HttpServletResponse response = (HttpServletResponse) resp;

        String correlationId = request.getHeader(CORRELATION_ID_HEADER_NAME);
        validate(correlationId);

        MDC.put(Constants.CORRELATION_ID_LOG_VAR_NAME, correlationId);

        try {
            chain.doFilter(request, response);
        } finally {
            MDC.remove(Constants.CORRELATION_ID_LOG_VAR_NAME);
        }
    }

    private void validate(String correlationId) throws IOException {
        if (correlationId != null && !correlationIdPattern.matcher(correlationId).matches()) {
            throw new IOException("Correlation ID does not match with any accepted patterns");
        }
    }

    @Override
    public void destroy() {
        // empty
    }

As Sonar recommends the requests which contain invalid headers should be thrown away as IO Exceptions after validating against a whitelist.

Ref: Rules explorer

However, even after validating the retrieved correlation Id, vulnerability still remains.

2

Hello Gayan,

version 8.6 of SonarQube is not supported anymore. Do you have the possibility to upgrade to SonarQube 9.0? It contains many improvements and might already solve your problem.

That said, we are aware of some problems with rule S5167 and plan to improve it soon.

3

Are there any changes that are being made to that rule after the 8.6 release? In that case we could consider upgrading.

4

Rule S5167 is part of the SonarSecurity analyzer and the complete analyzer was drastically improved since version 8.6.

5

Ok, got it. Thanks for the information.