Rule java:S2658 is deprecated but replacement rule java:S6173 not available in SonarQube 9.9.0.65466

Hello,

we are running a SonarQube Server 9.9.0.65466 with the bundled Sonar Java Plugin version 7.16.0.30901.

The Java Rule “java:S2658” : “Classes should not be loaded dynamically Classes should not be loaded dynamically” is deprecated and in the description it says "This rule is deprecated; use S6173 instead.

But when I look for a Java Rule java:S6173, I can’t find it.

According to your documentation (Java static code analysis | injection: Reflection should not be vulnerable to injection attacks) the rule should exist and be available in the SonarQube Server.

In this announcement (Java: 5 additional Injection Vulnerability detection rules (NoSQL, Thread Suspensions, Reflection, JSON, XML)) of new Java rules in February 2022, the rule is mentioned. There is also a comment on this blog entry, asking why the rule S6173 is not available in SonarQube Server 9.9.1, but unfortunately this was not answered.

Actually, I searched for all of the 5 Java rules announced there an nonne of them is available in our SonarQube Server installation:

• S5147 : NoSQL operations should not be vulnerable to injection attacks
• S6390 : Thread suspensions should not be vulnerable to Denial of Service attacks
• S6173 : Reflection should not be vulnerable to injection attacks
• S6398 : JSON operations should not be vulnerable to injection attacks
• S6399 : XML operations should not be vulnerable to injection attacks

Is there any way to get these rules in our installation? Is it possible that also other rules are missing in our installation?

Help would be appreciated.

Kindest regards
Thomas

Hey there.

This rule, along with its more advanced implementation, is only available in the Developer Edition of SonarQube and higher. Citing this ticket:

Currently, RSPEC-2658: Classes should not be loaded dynamically raises an issue if Class.forName() contains a dynamic value. This causes a lot of false-positives and noise, since it is only a security problem if an attacker can control the class. Thus, it makes sense to remove the rule from sonar-java and use sonar-security instead to only raise an issue if the parameter of Class.forName() comes from user input. For this a generic reflection injection rule was added: RSPEC-6173.

Hi Colin,

thank you for this information. Guess I have to talk to our management to migrate from the Community Edition to the Developer Edition.

Kind Regards
Thomas

One more question: Is there an overview of what features/rules are missing in the community edition?

You can find a description of what is provided by each SonarQube Edition here but it’s true that this description shares only high-level differences between SonarQube Editions.

Specific to Java rules, with the SonarQube Developer Edition, you have on top of what is provided by the Community Edition:

• the taint rules that detect injection vulnerabilities
• the advanced bug rules that detect bugs that the CE Java engine doesn’t detect

hello,
we are using Sonarqube Developer Edition Version 9.9.1 (build 69595) and the rule java:S6173 is not available