Hello, I am considerating using SonarQube in my company and would like to ensure something about false negatives.
I am using:
SonarQube CE server 8.8.0.42792
Gradle plugin id “org.sonarqube” version “3.0”
while scanning code to verify against SQL Injection, I noticed that scanner missed manually confirmed vulnerability. After closer look and few tests of it I noticed, that SonarQube doesn’t detect sql injection when query is a result of eg. joining function.
This will be properly flagged as security hotspot:
public void testSqlInjection_A(String input) {
try (Connection conn = dataSource.getConnection()) {
String query = "select * from table where id = ? OR x = '" + input + "'";
PreparedStatement preparedStatement = conn.prepareStatement(query);
preparedStatement.setString(1, input);
ResultSet resultSet = preparedStatement.executeQuery();
} catch (Exception ignored) {
}
}
While this function will not be flagged:
public void testSqlInjection_B(String input) {
try (Connection conn = dataSource.getConnection()) {
List<String> queryParts = new ArrayList<>();
queryParts.add("select * from table where id = ? OR x = '" + input + "'");
String query = com.google.common.base.Joiner.on("").skipNulls().join(queryParts);
PreparedStatement preparedStatement = conn.prepareStatement(query);
preparedStatement.setString(1, input);
ResultSet resultSet = preparedStatement.executeQuery();
} catch (Exception ignored) {
}
}
Is it possible at all for sonar to detect such vulnerabilities or the ammount of possibilities is just too great? I could imagine somebody using some EscapeSQL class instead of Joiner and that being flagged as false positive, but isn’t false positive better than false negative?
testSqlInjection_A
was flagged by RSPEC-2077, but shouldn’t it be also detected by RSPEC-3649 ?