Hi
I am very new to the Sonar universe. I would like to detect missing input validation in Java functions, e.g. as described in OWASP Top Ten Proactive Controls 2018, section C5 (OWASP Top Ten Proactive Controls 2018 | C5: Validate All Inputs | OWASP Foundation).
### BAD CODE (SPRING BOOT)
...
public class Buy {
private Integer price;
private Integer quantity;
}
@RestController
class BuyController {
@PostMapping("/buy")
public void Buy(@RequestBody Buy buy){
System.out.println(buy);
}
}
...
The above code should trigger an alarm. The below code should not (as it has rudimentary input validation):
### SLIGHTLY BETTER CODE (SPRING BOOT)
...
package javax.validation.constraints;
public class Buy {
@PositiveOrZero
private Integer price;
@Positive
private Integer quantity;
}
@RestController
class BuyController {
@PostMapping("/buy")
public void Buy(@Valid @RequestBody Buy buy){
System.out.println(buy);
}
}
...
Is this solved in full or part by any existing rule(s)?
SonarQube Enterprise Edition Version 9.4 (build 54424).
Thanks in advance and best regards,
Andreas