Make sure to read this post before raising a thread here:
Then tell us:
- What language is this for? Java
- Which rule? java:S5852
- Why do you believe it’s a false-positive/false-negative? false-negative
- Are you using
- SonarQube Cloud?
- SonarQube Server / Community Build - which version? Yes - v2025.1.4 (113907)
- SonarQube for IDE - which IDE/version?
- in connected mode with SonarQube Server / Community Build or SonarQube Cloud?
- How can we reproduce the problem? Give us a self-contained snippet of code (formatted text, no screenshots)
- Create a RegEx pattern with the regular expression
-+$ - Analyze the file with SonarQube
- Notice that the RegEx DoS rule isn’t triggered
For the given expression, ReDoS Checker determines that the RegEx is vulnerable.
Example:
import java.util.regex.Pattern;
class RegExTest {
private static final Pattern REDOS = Pattern.compile("-+$");
public boolean endsWithMinus(String text) {
return REDOS.matcher(text).find();
}
}