Rule S2077: not firing when formatting strings in multiple statements

Rule RSPEC-2077 not firing when formatting strings in multiple statements.

1/ Security Hotspot not detected:

public List<Object[]> notFiring(String table) {
	 		        		
	String query = "SELECT * ";
	query += "FROM " + table;

	return em.createNativeQuery(query).getResultList();		
}

2/ Security Hotspot detected:

public List<Object[]> firing(String table) {
	 		        		
	String query = "SELECT * FROM " + table;

	return em.createNativeQuery(query).getResultList();		
}

The rule should detect issues in both cases.

SonarQube version: 7.9.1.27448
SonarJava version: 5.13.1 (build 18282)

2 Likes

hello @daniel_baires,

thanks for reporting this, I created the ticket to improve the rule. https://jira.sonarsource.com/browse/SONARJAVA-3166

Also note that we have https://rules.sonarsource.com/java/tag/injection/RSPEC-3649, available in commercial editions, which is detecting SQL injection vulnerabilities (i.e. it will detect if there is unsanitized value passed to SQL query). This rule will handle concatenation correctly.

2 Likes