Sonar scan not able to identify sanitize and normalize methods from a function call on path variable Java

java
(Sandeep Kumar) #1

Template for a good bug report, formatted with Markdown:

  • SonarQube™ Version 6.7 (build 33306) - LGPL v3
  • error observed:
  • steps to reproduce :
    –Create a spring boot rest end point with path variable.
    –Put this line of code on the path variable for sanitizing it inside a util class
    – String valueStr = Normalizer.normalize(pathvariable, Form.NFKC);
    e.g,
    String normalizedCatalogId = RequestNormalizingUtil.normalizer(catalogId);
    **–Sonar still complains about sanitization.**emphasized text
    –Put this line of code on the path variable for sanitizing it inside controller before using path variable
    – String valueStr = Normalizer.normalize(pathvariable, Form.NFKC);
    e.g,
    String normalizedCatalogId = Normalizer.normalize(catalogId, Form.NFKC);
    – Sonar does not have issue with this. But adding the same line of code for every end point is duplication. Sonar should understand sanitization from util classes
(Tibor Blenessy) #2

Hello @sandeep_kumar ,

this rule doesn’t seem to come from our SonarJava analyzer, but probably from some 3rd party plugin. Can you tell me the key of the rule? Which plugins do you have installed on your SonarQube instance?

Cheers

Tibor

(Sandeep Kumar) #3

XSSChecker

  • cwe-79, owasp-a7
(Michael Gumowski) #4

As requested, can you please provide the list of the plugins installed on your SonarQube instance?
XSSChecker is not a plugin maintained by SonarSource (is it the name of the plugin).
From where did you get it? I would suggest to report the issue to their maintainer.

This is not a rule key, from the issue, please click on the ... button to access the rule description, and copy-paste the rule-key, on the upper-right-corner of the description. It should looks like a string with 2 parts separated by a ‘:’ . For instance: squid:S4449 .

Regards,
Michael