Hey SonarQube community.
I want to report a False Negative. We configured Sonarqube to run all over our PHP code base to check for pieces of code that may contain SQL Injections.
During this analysis, we also did some tests to check the Sonarqube outputs, enabling all PHP vulnerabilities, and created some PHP files that contain a real case SQL Injection vulnerability.
The first vulnerable file to SQL Injection contains the following PHP code, and Sonarqube has not identified any vulnerability, only code smell, as you can see below.
<?php
$p = $_POST['param'];
$sql = 'SELECT name, color, calories FROM fruit ORDER BY ' . $p;
foreach ($conn->query($sql) as $row) {
print $row['name'] . "\t";
print $row['color'] . "\t";
print $row['calories'] . "\n";
}
?>
The second vulnerable code is a blind SQL Injection, as you can see below.
<?php
require_once('../_helpers/strip.php');
// this database contains a table with 2 rows
// This is my first secret (ID = 1)
// This is my second secret (ID = 2)
$db = new SQLite3('test.db');
if (strlen($_GET['id']) < 1) {
echo 'Usage: ?id=1';
} else {
$count = $db->querySingle('select count(*) from secrets where id = ' . $_GET['id']);
if ($count > 0) {
echo 'Yes!';
} else {
echo 'No!';
}
}
?>
The third vulnerable file uses the same vulnerable code available in your documentation as Noncompliant, and even with this sample code, the Sonarqube was not able to detect any SQL Injection vulnerability, only bugs and code smell, even the bug doesn’t mention anything about SQL Injection as you can see below.
<?
class AuthenticationHandler {
public mysqli $conn;
function authenticate() {
$user = $_POST['user'];
$pass = $_POST['pass'];
$authenticated = false;
$query = "SELECT * FROM users WHERE user = '" . $user . "' AND pass = '" . $pass . "'";
$stmt = $conn->query($query); // Noncompliant
if ($stmt->num_rows == 1) {
$authenticated = true;
}
return $authenticated;
}
}
?>
What language is this for?
PHP
Which rule?
Database queries should not be vulnerable to injection attacks - S3649
Why do you believe it’s a false-positive/false-negative?
The pieces of code contain SQL Injection vulnerabilities.
Are you using
SonarQube Enterprise Version 9.9.0.65466
Thank You,
Marcos Ferreira