More accurate Command Injection rule(s)


Until today, SonarCloud was detecting OS Command Injection attacks thanks to a single rule S2076. That was great and at the same time not 100% accurate because depending on where the injection is performed, it is possible to control the OS command itself or only the parameters of this OS command.

We made a change to be more precise and to provide better guidance in the rule’s documentation. There are now 3 rules dedicated to the topic:

  • S2076: OS commands should not be vulnerable to command injection attacks
  • S5883: OS commands should not be vulnerable to argument injection attacks
  • S6350: Constructing arguments of system commands from user input is security-sensitive

This change is available on now for Java, C#, PHP, JS/TS and Python analysis and is also part of SonarQube 9.2 Developer Edition.