javasecurity:S5145 false positives

Versions:

  • SonarQube, version 9.1.0.47736
  • Maven Sonar plugin 3.9.0.2155

I have two example of false positives.

Example 1 - Session variables:

    @GetMapping(POLICY_DETAILS_PERFORM)
    public @ResponseBody
    Messages getPolicyDetails(@ModelAttribute(ModelKeys.SELECTED_POLICY) final String policyNumber, @SessionAttribute(SessionKeys.USER) final User user) {

logger.debug(REQUEST_POLICY_NUMBER_USER_MESSAGE, policyNumber, user);

SonarQube is warning about logging the user session variable. This isn’t user-controlled data.

Example 2 - @Valid annotation:

    @PostMapping(value = REGISTRATION_PERFORM,consumes = "application/json")
    public @ResponseBody Messages registerUser(@Valid @RequestBody RegistrationForm form, BindingResult result)

SonarQube is warning about logging form.getXXX() properties. They’ve already been validated so it should be safe to log them.

Hello @rriopel, and welcome to our community :grinning:

Thanks for the report! I will look into this and come back to you in the next few days.