RSPEC-3649 SQL queries injection rule missing from server

Hey all!

SonarQube 7.6 - Enterprise Edition (previously 6 LTS was in use)
SonarJava 5.11

The following Java rule is not available on the instance.
To reproduce: on the “Rules” tab filter by name for “SQL” amongst the Java rules. This rule is not found.

I expect it to be available on the server, so I can add it to my Java quality profile. (and possibly it should be available in Sonar Way).

Other rules related to the Java plugin is available, like “Enabling Cross-Origin Resource Sharing is security-sensitive”. In general the plugin should be alive and up-to-date.

Checking the rules in the database for plugin_rule_key =“S3649” only shows a DELETED rule for C-Sharp.

How can I restore this Java rule?

Thanks and cheers,

P.s. This page has an outdated image. “Restore Built-in Profiles” is not an available option anymore I believe.


The rule S3649 was re-implemented a couple of months ago out of SonarQube Community Edition, so out of SonarJava.
It is now part of SonarQube Developer Edition and for sure, you have access to it with your EE.

It is possible that something happened during the installation of your EE and you don’t have the required JAR files bringing Injection Rules. You need to download again it and check that in your $SQ_HOME/extensions/plugins directory you have these JARs:

  • sonar-security-csharp-frontend-plugin-
  • sonar-security-java-frontend-plugin-
  • sonar-security-php-frontend-plugin-
  • sonar-security-plugin-


Hey @Alexandre_Gigleux!

Thanks a bunch, that did help!
We made a mistake as part of the install process, and that killed the security related jars after unzipping.
As a quick check, copying them back in and restarting the server results in the mentioned rule showing up correctly!


1 Like