jssecurity:S3649 does not trigger(Database queries should not be vulnerable to injection attacks)

This code does not trigger jssecurity:S3649 check.(it should do)
Simply copied from the rule’s example.

var db = require('./mysql/dbConnection.js');

function (req, res) {
  var name = req.query.name; // user controlled input
  var password = crypto.createHash('sha256').update(req.query.password).digest('base64');

  var sql = "select * from user where name = '" + name + "' and password = '" + password + "'";

  db.query(sql, function(err, result) { // Noncompliant
     // something

Rules are enabled.

But do not trigger.

There are attachments of code and scan-log.

sonar-scanner-X.log (33.8 KB)
demo.js.txt (401 Bytes)

We use Developer Edition.

  • Developer Edition
  • Version 8.9.6 (build 50800)

Hello and welcome to the community!

The code from our code sample is a bit minified. For an issue to be raised, you actually have to register this function as a controller (e.g. in an Express.js app). Otherwise, our analyzer is not aware of what type req has and that it contains user input.

Thank you. Add some context and try again.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.