javasecurity:S5145 for MessageSource

Rules and Languages Report False-positive / False-negative...
1

What language is this for?
Java

Which rule?
javasecurity:S5145

Why do you believe it’s a false-positive/false-negative?
We are using Spring Boot with Servlet. We use methods in Controllers like so:

  @PostMapping(path = Endpoints.SOME_ENDPOINT + "/entanglement", params = "Id")
  @PreAuthorize("hasAuthority('" + SecurityConstants.SOME_PERMISSION + "')")
  public ModelAndView entanglementHandleFinalSubmit(@RequestParam String Id,
                                                    RedirectAttributes redirectAttributes,
                                                    Locale locale)
{
  // Some code
  modelAndView.addObject(ViewParams.SUCCESS_PARAM_NAME, messageSource.getMessage(MessageKeyConstants.SUCCESS, null, locale));
  // Some code
  return modelAndView;
}

Sonarqube marks this with S5145 with the execution flow with (1) at the @PostMapping annotation, (2) at the method-parameter Locale locale and (3) at messageSource.getMessage(MessageKeyConstants.SUCCESS, null, locale).

My question is, why is this marked with this issue? From my understanding, regardless what the Locale acutally is, there is a default locale that would be used for the message source. Additionally, the rule is focused on logging user input. But in the sink, no logs are generated, only a message as retrieved (and inseted in the html template). Is the rule applied here correctly?

We are using:
SonarQube Server Enterprise Edition v2025.2 (105476) ACTIVE MQR Mode

4

Hello @govenny,

Thanks for raising this post, I think I have an idea of what is going wrong here. Can you show me the list of flows on the side of the issue please?

It looks like that, and you can anonymize/remove the file names if it is required by your company:

{D5D1E935-6A85-4DE1-A2AF-C8706D461C27}
{D5D1E935-6A85-4DE1-A2AF-C8706D461C27}260×509 23.3 KB

I am interested in the small pieces of sentences (“a user can …”, “the instruction can …”) here.

Cheers,

Loris

5

Hi Loris,

thanks for getting back to me. Here you go:

Bildschirmfoto vom 2025-06-05 16-03-23
Bildschirmfoto vom 2025-06-05 16-03-23408×390 39.9 KB

Bildschirmfoto vom 2025-06-05 16-03-37
Bildschirmfoto vom 2025-06-05 16-04-24
Bildschirmfoto vom 2025-06-05 16-04-241019×192 17.9 KB

6

Thanks a lot ! This is what I thought. I was looking for whether the flows would mention dependencies, and bingo. You can set this as an FP for now and I will research this internally.

To answer your question, we might have found that the dependency can add a log message with this data, but this might be an FP on our analysis of the dependency, leading to this FP for your code base. I need to investigate this further, but we generally have problems with our logging injection detection, even without dependencies it can lead to FPs.

Thanks for your post!

Loris