Rule S2077: not firing when formatting strings in multiple statements

Rule RSPEC-2077 not firing when formatting strings in multiple statements.

1/ Security Hotspot not detected:

public List<Object[]> notFiring(String table) {
	String query = "SELECT * ";
	query += "FROM " + table;

	return em.createNativeQuery(query).getResultList();		

2/ Security Hotspot detected:

public List<Object[]> firing(String table) {
	String query = "SELECT * FROM " + table;

	return em.createNativeQuery(query).getResultList();		

The rule should detect issues in both cases.

SonarQube version:
SonarJava version: 5.13.1 (build 18282)


hello @daniel_baires,

thanks for reporting this, I created the ticket to improve the rule.

Also note that we have, available in commercial editions, which is detecting SQL injection vulnerabilities (i.e. it will detect if there is unsanitized value passed to SQL query). This rule will handle concatenation correctly.