Hello there,
I would like to report a false negative on the SQLi rule (S3649) for Java (SonarQube v9.9.5 LTA).
Why do you believe it’s a false-positive/false-negative?
I suspect the use of the “formatted” method to cause the false negative, this has been added in Java 15 and was maybe overlooked.
import java.util.Arrays;
import java.util.List;
import java.util.Objects;
import java.util.function.Function;
import java.util.stream.Collectors;
import javax.persistence.EntityManager;
import javax.persistence.PersistenceContext;
import org.springframework.stereotype.Component;
@Component
public class GenericDataDao {
@PersistenceContext
private EntityManager entityManager;
public List<List<String>> getData(String view, List<String> columns, List<String> groupByColumns, List<String> groupSumColumns,
Filters filters) {
var sumColumns = groupSumColumns == null ? List.of() : groupSumColumns;
var groupSumClause = sumColumns.stream()
.map(s -> "cast(sum(%s) as double precision) AS %s".formatted(s, s))
.collect(Collectors.joining(","));
if (!groupSumClause.isEmpty()) {
groupSumClause = "," + groupSumClause;
}
var filterString = getFiltersString(filters);
var whereClause = filterString.isEmpty() ? "" : "WHERE " + filterString;
var queryString = "select %s%s from %s %s group by %s order by %s".formatted(
columns.stream().collect(Collectors.joining(",")),
groupSumClause,
view,
whereClause,
groupByColumns.stream().collect(Collectors.joining(",")),
groupByColumns.stream().collect(Collectors.joining(",")));
var nativeQuery = entityManager.createNativeQuery(queryString);
var result = nativeQuery.getResultList();
if (columns.size() + sumColumns.size() == 1) {
return result.stream()
.map(o -> List.of(o != null ? o.toString() : "NULL"))
.toList();
} else {
return result.stream()
.map(array -> Arrays.stream((Object[])array)
.map(e -> e != null ? e.toString() : "NULL")
.toList())
.toList();
}
}
Best regards,
Thibault
