SonarQube cannot detect SQL Injection

itoh110 · August 24, 2022, 6:29am

SonarQube scanned the following source code using Mybatis for O/R Mapper, but it could not detect SQL Injection.

/**
 *  This API registers in the DB the string set in the parameter without escaping.
 * @param str The string you want to insert.
 */
@Insert("INSERT INTO ECHO (VOICE) VALUES ( ${str})")
void EchoSqlInjection(String str);

Can SonarQube detect SQL Injection in source code using MyBatis?

Colin · August 24, 2022, 7:29am

Hey there.

What version of SonarQubea re you using? What edition?

itoh110 · August 25, 2022, 12:10am

I am using the following version.

Edition: Developer Edition
Version: Version 9.5 (build 56709)

Loris_Sierra · August 25, 2022, 8:13am

Hello @itoh110!

Welcome to our community, and thanks a lot for your post and precisions.

This library is not supported yet, but we can add it! I am going to create an internal ticket to add it.

If you don’t mind, can you tell me more about how you use this library ?
For example:

Do you have a specific use case for it
Is this in a professional environment, in production?
Do you use Mybatis, Mybatis-Spring, or an equivalent?
Do you declare this kind of function in interfaces, as the docs illustrate?

Having real-life insights about this library will help me a lot in understanding how we should internally address it.

Thanks a lot!

Cheers,

Loris

Loris_Sierra · November 28, 2022, 9:35am

Meguru Ito:

/**
 *  This API registers in the DB the string set in the parameter without escaping.
 * @param str The string you want to insert.
 */
@Insert("INSERT INTO ECHO (VOICE) VALUES ( ${str})")
void EchoSqlInjection(String str);

I made a ticket internally to track that. Thanks for your feedback!

Cheers,

Loris

system · December 5, 2022, 9:36am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.