Security rule does not trigger: S5135 (Deserialization should not be vulnerable to injection attacks)

Must-share information (formatted with Markdown):

  • SonarQube
  • Triggering a security rule from my profile

I’m trying to trigger the “Deserialization should not be vulnerable to injection attacks” vulnerability rule, which is enabled by default in the sonar way profile, which is what I’m using on the project that’s being scanned. The reason for this is that I’m working on a fresh SonarQube setup and I want to make sure all the scans work properly.

I pretty much just copied the code that’s in that rule, and made sure that there aren’t any code smells that it could otherwise trigger on. Verbatim the code added is:

        public static Object AnotherDeser(string typeName, Stream bytes)
            Type t = Type.GetType(typeName); // typeName is user-controlled
            XmlSerializer serializer = new XmlSerializer(t); // Noncompliant
            return serializer.Deserialize(bytes); 

However I do not see this vulnerability popping up in the scan report sonarqube creates. Do I still need to configure something to have the vulnerability and security hotspot checks work properly?

Hello @bcd ,
There can be some instances where we may need to even lock access to certain objects for Sys Admins which can be controlled through triggers and apex cannot be modified in Prod, the trigger on the profile object can help with that.

Hi Jhon,

Thanks for your reply. Could you elaborate? I don’t understand your answer :smiley:


To verify, you’re running Developer Edition($) or higher? I ask because taint analysis rules simply aren’t available in Community Edition.


Good morning Ann,

Yes, we’re running developer edition.

1 Like

What can I do to see where this is going wrong? :slight_smile:

Hello @bcd,

Thanks for sharing this false-negative, I will look into to it.
Could you please share the whole code example, including the class implementation and the imports?

Thank you.

Hi bcd,

I am really interested in understanding why we are not raising an issue here and I need a reproducer to be able to investigate.

Could you please share the whole code example, including the class implementation and the imports?

Otherwise, I will just close this thread in a few days.