How to solve javasecurity:S5145 in developer edition sonarqube

Hi community

Recently we migrated one of our Java projects from the community-edition server to a licensed developer-edition SonarQube server (v2025.1.1). With that, we now get better security analysis for our code, which is nice.

Soo… now we get some javasecurity:S5145 issues (Change this code to not log user-controlled data). The compliant solution is not really a good practice (This was discussed before here; therefore, I won’t go into that).

I would like to register a sanitizer or validator and register it like documented here: Security engine custom configuration | Sonar Documentation . But that’s an enterprise-only feature.

Marking the issues as “false-positive” isn’t doable either, since they get reopened on every change in the project and after creating a new feature branch.

Whats a good way to solve these issues in the developer-edition?

Thanks,
Jonas

Hello @JonasOnSonar,

Have you tried to turn issues off at code level? As mentioned in here, you can use @SuppressWarnings(<rule_key>) to prevent SonarQube raising a warning for that rule.

However, there is also such case that SonarQube doesn’t honor the suppression but I couldn’t reproduce it.

Here’s another method but it disables all kinds of issues that may be raised.

Hello,

We did a change recently in the behavior of this rule, I’m quoting what we have in our internal ticket:

S5145 targets production environments ONLY

Hence:

• debug-level logging, meant for “debug”, e.g. evelopment environments, is not taken into account

• trace-level logging goes even deeper than debug, even providing insights into the actual system and is used as part of maintenance or incident response. Not in regular day-to-day production operations.

With this change, you will see less S5145 issues and you will only see on logs that actually run in production. Upgrade to the latest 2025 version to get these changes.

Can you clarify which “sanitizer” you would expect to see instead of the compliant solution that we provide for S5145 for Java?

Thanks
Alex

Hello Ata,
Hello Alexandre,

Thanks for your suggestions.

Ata: I do not want to suppress this rule. I think it’s a good to check for these kind of issues.

Alex: Interesting insight, this makes sense. But we still do log some user input with level “info” and higher.

The sonar compliant solution is ok, but known to be slow (which is not a problem for our application). See also https://community.sonarsource.com/t/javasecurity-s5145-unclear-example-compliant-solution/95386

I think it’s not realistic to have sonar recognize every “good” solution. In our case we (for now) use this way more restrictive validator method:

private static final int MAX_LENGTH = 60;
private static final Predicate<String> ALLOWED_PATTERN = Pattern.compile("^[\\w$-]+$").asPredicate();

static String testUserInput(String input) {
if (input == null || input.isEmpty()) {
return "";
}
if (input.length() > MAX_LENGTH) {
throw new BadRequestException("Input too long");
}
if (!ALLOWED_PATTERN.test(input)) {
throw new BadRequestException("Input contains invalid characters");
}
return input.replaceAll("[\n\r]", "_");
}

Note that the call on the final return line .replaceAll(“[\n\r]”, “_”) is only there to please sonar, which is a bad thing.

The solution would be to allow to register custom sanitizers or validators in Developer Edition. To me it seams a bad feature cut between Developer and Enterprise. Developer can detect an issue, but to properly solve you need to license Enterprise Edition.

Now, I’m not 100% sure, if there is really no solution with Developer Edition. And that’s the reason for my post. I would be pleased to be wrong about that

Kind regards,
Jonas

I confirm there is no such a feature in Developer Edition to tune the Security Engine. You need to upgrade to Enterprise Edition to get access to the customization features.