javasecurity:S5145 false positives


  • SonarQube, version
  • Maven Sonar plugin

I have two example of false positives.

Example 1 - Session variables:

    public @ResponseBody
    Messages getPolicyDetails(@ModelAttribute(ModelKeys.SELECTED_POLICY) final String policyNumber, @SessionAttribute(SessionKeys.USER) final User user) {

logger.debug(REQUEST_POLICY_NUMBER_USER_MESSAGE, policyNumber, user);

SonarQube is warning about logging the user session variable. This isn’t user-controlled data.

Example 2 - @Valid annotation:

    @PostMapping(value = REGISTRATION_PERFORM,consumes = "application/json")
    public @ResponseBody Messages registerUser(@Valid @RequestBody RegistrationForm form, BindingResult result)

SonarQube is warning about logging form.getXXX() properties. They’ve already been validated so it should be safe to log them.

Hello @rriopel, and welcome to our community :grinning:

Thanks for the report! I will look into this and come back to you in the next few days.