Refactor this code to not place tainted, user-controlled data in the header

Version used - SonarQube 7.9.1
Language - Java 8

"Refactor this code to not place tainted, user-controlled data in the header."

Receive this error in a RestController since the request parameter is used as is. The fix works when the regex pattern match is done directly in the controller. However if the check is moved to a separate util class the same check is not considered.

Sample code which works
if(id.matches(ALPHA_NUMERIC_CHECk_REGEX)){
Sample code which doesn’t work
if(ValidationUtil.validateId(id)){

Hello @Bhuvana
and welcome to the community!
you are reporting a potential false positive for SonarQube in version 7.9, which is no longer supported and does not benefit from the very many improvements done for Java taint analysis in the 8.9 LTS (additional rules, deeper and more accurate analysis, and additional frameworks supported).
Can you check the same analysis after you have upgraded to the 8.9 version?

If unsure about how to proceed, the SonarQube 8.9 LTS: 3 steps to a smooth upgrade blog post will help. If you want to learn more about what is coming with this LTS, you can head to the Webinar: SonarQube 8.9 LTS - Better than ever thread.

Side note about the Security Engine configuration:
the possibility to customize the Security Engine configuration in order to have it recognizing your proprietary framework elements (sanitizer in your case) is available with the SonarQube Enterprise Edition (and above).
This feature has been improved further with SONAR-14610 in SonarQube 8.8+

Best regards
Sylvain

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.