Rule java:S2695 checks for out-of-bounds column numbers when using PreparedStatements, at least if the column is a literal. Presumably it counts the number of ? characters in the string. However, it only seems to look at the latest assignment to that string. In the following, SQ complains about the 1, even though the String sql clearly has a column 1.
Thanks. Since this bug has been known for 4 years, perhaps you could put something in the description (the mdDesc / htmlDesc field) mentioning the limitations of this rule.
BTW, the rule you pointed me to specifically refers to not detecting question marks in a string built in pieces. I’ve found that the rule also fails to follow the column number to its source. So if I declare an int initialized to an invalid column number, and use that in the setInt() call as the first parameter, the rule isn’t triggered. Also, if the first parameter (column number) is an int constant declared in an imported package, and that constant is out of bounds for the specific PreparedStatement, the rule should be triggered, but is not. Is there a separate bug report for that? If not, could you add it to 2250?
(BTW, rule java:S2111 is able to check the type of an imported constant, so SonarQube (the Maven plugin, I guess) has a mechanism for getting information across package boundaries. So this capability should be enabled for rule java:S2695.)
I agree that this issue has been around for too long, we already fixed a similar case when using +=, I assigned it to the current version, we should be able to do something about it.
Concerning your second question, I created a ticket to track the improvement: SONARJAVA-4019.
