java:S6905 false negative for inline string-literal concatenation (`"SELECT " + "*"`)

SonarQube Server / Community Build
1

Product: SonarQube Community (self-hosted)
sonar-java version: sonar-java 8.28.0.43176 on SonarQube Community Build 26.4.0.121862
Java source level: 21 (javac 21, source/target 17)

Rule

java:S6905 — Don’t use the query “SELECT *”

Description

java:S6905 fails to detect SELECT * in SQL strings built via inline string-literal concatenation ("SELECT " + "*") , although the equivalent += form is correctly reported.

Reproducer

package demo;

import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.SQLException;

public class QueryBuilder {

    // BEFORE — NOT flagged by java:S6905 (false negative)
    public void foo(Connection conn) throws SQLException {
        String q = "SELECT * FROM t WHERE name=?" + " AND c IS NOT NULL";
        PreparedStatement ps = conn.prepareStatement(q);
        ps.setString(1, "someValue");
        ps.close();
    }

    // AFTER — correctly flagged by java:S6905
    public void bar(Connection conn) throws SQLException {
        String q = "SELECT * FROM t WHERE name=?";
        q += " AND c IS NOT NULL";
        PreparedStatement ps = conn.prepareStatement(q);
        ps.setString(1, "someValue");
        ps.close();
    }
}
4

Hi @Emilyaxe,
Thank you for reporting this false negative. I was able to reproduce the issue and I created this ticket to tackle the gap in a future hardening effort.

Cheers,

Dorian