javasecurity:S5131: Tainted analysis for Big Object

  1. Let’s say you have a Child Object
public class ChildObj{
   String name;
   Integer age;
}
  1. You receive ChildObj in your restApi
  2. You have no intention to use “name” field of ChildObj
  3. Your logic works around the age
  4. for processing, you pass the whole childObj into some method call
  5. Sonar catches your code and tells you that “Hey, name can be tainted. Please sanitize it”
  6. You have no other option. You are forced to sanitize name unnecessarily.

Hello,

The security engine running inside SonarQube Developer Edition and above is today NOT field-sensitive and this is why you have this weird behaviour.

We are actively working with our new colleagues from RIPS to make it field-sensitive (see https://jira.sonarsource.com/browse/MMF-1697) and this will fix the problem you are facing.

Would you be able to estimate the quantity of false-positives you have on your projects because of this current limitation?

Regards
Alex

Thanks @Alexandre_Gigleux

one of my microservice(among 2 endpoints where I have the above situation )and it is flagging for both.

Hello,

SonarQube 8.5 was released and now the security engine is field-sensitive for Java, C# and PHP. It means the false-positive issues you discovered should no longer be raised.

If you still have the problem after having upgraded to SQ DE 8.5, don’t hesitate to come back to us.

Thanks
Alex