Rules to detect missing Java input validation

andfaa · April 19, 2022, 2:03pm

Hi
I am very new to the Sonar universe. I would like to detect missing input validation in Java functions, e.g. as described in OWASP Top Ten Proactive Controls 2018, section C5 (OWASP Top Ten Proactive Controls 2018 | C5: Validate All Inputs | OWASP Foundation).

### BAD CODE (SPRING BOOT)
...

public class Buy {
  private Integer price;
  private Integer quantity;

}

@RestController
class BuyController {
  @PostMapping("/buy")
  public void Buy(@RequestBody Buy buy){
    System.out.println(buy);
  }
}
...

The above code should trigger an alarm. The below code should not (as it has rudimentary input validation):

### SLIGHTLY BETTER CODE (SPRING BOOT)
...
package javax.validation.constraints;

public class Buy {
  @PositiveOrZero
  private Integer price;
  @Positive
  private Integer quantity;

}

@RestController
class BuyController {
  @PostMapping("/buy")
  public void Buy(@Valid @RequestBody Buy buy){
    System.out.println(buy);
  }
}
...

Is this solved in full or part by any existing rule(s)?

SonarQube Enterprise Edition Version 9.4 (build 54424).

Thanks in advance and best regards,
Andreas