Sonar still complains about security:S2083

biiyamn · January 18, 2023, 10:47am

I’ve to resolve this owasp vulnerability ‘Change this code to not construct the path from user-controlled data.’ i’ve tried to use ESAPI library but sonar still shows the vulnerability, then i managed to solve this using regex and sonar no more shows the issue but if i extract the regex code into a function and call it , sonar shows again the vulnerability. images below depicts this:

Try to fix issue with ESAPI

Try to fix issue with regex

sonar3966×473 17.6 KB
export regex into function

sonar41316×552 28.3 KB

ganncamp · January 23, 2023, 6:15pm

Hi,

What version of SonarQube are you using? You can find the version number in the page footer if you’re unsure.

Ann

biiyamn · February 8, 2023, 8:16am

it’s 9.5 (build 56709)

ganncamp · February 8, 2023, 3:00pm

Hi,

SonarQube 9.5 is a bit dusty at this point, and in fact, we just announced SonarQube 9.9 LTS yesterday.

Can you upgrade and see if this is replicable?

Ann

Topic		Replies	Views
Change this code to not log user-controlled data SonarQube Server / Community Build	4	2703	September 29, 2023
Does Sonarqube catch OWASP Top 10 vulnerabilities for NodeJS / JavaScript SonarQube Server / Community Build javascript , sonarqube , node	5	1185	May 3, 2022
CVE-2022-42889 effect on SonarQube SonarQube Server / Community Build security , cve	27	6725	November 25, 2022
Post Upgrade to LTS, there is a spike in Vulnerabilities Reported SonarQube Server / Community Build upgrade , dotnet , issues	7	776	April 24, 2023
False positive regex DoS vulnerability? SonarQube Server / Community Build sonarqube	3	7316	October 13, 2023

Sonar still complains about security:S2083

Related topics