Hello Java developers,
Don’t be surprised if you see new vulnerability issues appearing on your code analysis even if you did not change anything. This is expected that our Java security engine will find more vulnerabilities on code relying on lambda expressions.
Until today, when a non-sanitized user input was reaching a lambda expression, the analysis was just ignoring the instruction which was the root cause of false-negatives (ie: a vulnerability was there but we were not raising anything).
As an example, the Java security engine now correctly raise on such code:
If your C# colleagues are jealous, tell them it’s in our plan for later in 2021 to provide the same improvement.
This change is available on SonarCloud, and is included in SonarQube 9.0 starting from the Developer Edition.