java:S5443 Doubts about Path vs File

gian1200 · May 3, 2025, 12:57am

What language is this for? Java
Which rule? java:S5443
Why do you believe it’s a false-positive/false-negative? Both (?)
SonarQube Server / Community Build v25.3.0.104237 and v9.9
How can we reproduce the problem? Give us a self-contained snippet of code

import java.io.File;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.StandardCopyOption;

...

public Path downloadObject(AmazonS3 cosClient, String bucketName, String objectName) throws IOException {
		S3Object item = cosClient.getObject(new GetObjectRequest(bucketName, objectName));
		Path temporalPath = null;
		try (S3ObjectInputStream s3ois = item.getObjectContent()) {
			temporalPath = Files.createTempFile(Path.of("aaa"), null, null); // THIS LINE
			File temporalFile = temporalPath.toFile();
			boolean setReadable = temporalFile.setReadable(true, true);
			boolean setWritable = temporalFile.setWritable(true, true);
			if (!setReadable || !setWritable) {
				Log.warnv("...", setReadable, setWritable);
			}
			Files.copy(s3ois, temporalPath, StandardCopyOption.REPLACE_EXISTING);
			return temporalPath;
		} catch (IOException e) {
			throw e;
		}
	}

Files.createTempFile(Path.of("aaa"), null, null); is not flagged (should be?). Path “aaa” is virtual, it doesn’t exist, yet.
Files.createTempFile(null, null); is flagged, despite having setReadable and setWritable (setExecutable is not usable because there is no file created, only the path). With setExecutable it’s still flagged. The only difference with “Compliant Solution”, is that .toFile() is done in another line.
“Compliant Solution” should be modified. Example triggers java:S899 because returned booleans are not used.

Context

I download a file from an Object Storage, write it locally, work with it, and delete it.
I just need the Path to copy the file from the Stream, using Files.copy.
In case point 2 above is not a false positive, how should this be implemented?
Point 1 feels like a false negative, given that it’s “predictable”.

erwan.serandour · May 16, 2025, 12:11pm

Hi @gian1200,

Thanks for your detailed report on S5443. It is indeed a False Positive.

You’re correct that Files.createTempFile(null, null) being flagged despite permissions being set is a False Positive. We have an existing ticket for this issue, and it is a good reminder that we must tackle it.

Regarding Files.createTempFile(Path.of("aaa"), null, null) not being flagged: the rule is designed to assume that an explicitly provided directory is secure. This is a current limitation of the rule.

You can safely use any solutions provided in the compliant code section. I have created a ticket to modify the code example to prevent it from triggering S899.

Thank you! Your feedback is very helpful for refining our rules.

gian1200 · May 16, 2025, 2:00pm

Awesome, thanks!

Hopefully the ticket is not postponed again . It has been open since 2021.

Topic		Replies	Views
[javasecurity:S6096] Zip slip reported when prevented using Java NIO Report False-positive / False-negative... java , sonarqube , security	3	955	September 14, 2023
[javasecurity:S6096] Zip slip not reported when unzip is done using Java NIO Report False-positive / False-negative... java , sonarqube , security	3	634	September 14, 2023
Follow up on fixing Java Rule S1943 FileWriter or FileReader Report False-positive / False-negative...	5	1601	May 11, 2021
Java Rule S1943 should take into account if a FileWriter or FileReader is created with a charset Report False-positive / False-negative... java , java11	7	4411	March 26, 2021
False positive from java:S1105 in record containing class or interface Report False-positive / False-negative... java	1	261	October 5, 2023

java:S5443 Doubts about Path vs File

Related topics