Rule s3649 doesn't work

We are using

  • SonarQube 10.5.1, scanner 5.0.1
  • language - java
  • Enterprise Edition

We tried to analyze the following code:

String querystring = "SELECT u FROM User u WHERE u.login = '" + login + "'";
        Query query = entityManager.createQuery(querystring);
        List<User> resultList = query.getResultList();

The Log contains information about the use of rule s3649

INFO: Sensor JavaSecuritySensor [security]
INFO: Enabled taint analysis rules: S2076, S2078, S2083, S2091, S2631, S3649, S5131, S5135, S5144, S5145, S5146, S5147, S5334, S5883, S6096, S6173, S6287, S6350, S6384, S6390, S6398, S6399, S6547, S6549

The file with vulnerability isn’t excluded.
But Sonarqube says that the code isn’t vulnerable. How is it possible? the same code is provided in Sonarqube’s example for SQLi. What are we doing wrong?
Maybe we are missing something?

Thank you!

Hi,

This code is only vulnerable if login is under the control of an attacker. The createQuery should also be vulnerable (i.e. be a sink).

So it depends on the context of the code. Are you able to send a reproducer so we get the full context?

Regards

Sebastien

Hi Sebastien,

Sorry for my late answer. We knew that it is a false negative because it is exlpoitable. We use Hibernate for queries. Here goes the context:

public class UserService {
...
    public User findByLogin(String login) {
            Query query = entityManager.createQuery("SELECT u FROM User u WHERE u.login = '" + login + "'");
            List<User> resultList = query.getResultList();
...}
...
}

and than we have a controller in which we do the following:

import my.project.services.UserService;
...
public String search() {
        if(StringUtils.isEmpty(getLogin()))
            return INPUT;

        try {
            user = userService.findByLogin(getLogin());
...
}

tell me please if we need to provide more information and these pieces of code aren’t enough. Thank you!

Hi,

Thanks for your reply.

  • What is the source exactly (the original source)? The code you provided does not show what calls UserService.findByLogin. Which web frameworks/libraries are you using?

  • What is the exact type of entityManager? Is it a @PersistenceContext (javax.persistence)?

To be able to reproduce the false negative, I need to see the chain of calls from the source to the sink.

Regards

Sebastien

Hi Sebastien,

Thank you for your reply. I apologize for the confusion; it’s clear now that my previous explanation wasn’t sufficient. While I can’t share our full code, I found a very similar project online that has exactly the same flow as ours for this particular code. Is it okay if I share a link to the vulnerable code on GitHub here?

Hi,
Yes, sure.
Regards
Sebastien

Hi,
the project here has a service UserService with method findByLoginUnsafe. IIt is very similar to our code. We ran SonarQube on it and got the same result – SQL injection wasn’t detected.

Thank you,

Tatyana

Hi,

Thank you for providing this link.

I see that the vulnerable source (login) is in a Struts 2 action. Unfortunately, we do not support Apache Struts. This is why we are not detecting the issue. We currently do not have plans to support it.

Regards

Sebastien

1 Like

Hi Sebastien,

Thank you for the answer!
Just for the record if it will be useful for somebody - FindBugs plugin works fine for this case.

Regards,
Tatyana