@WebService/@WebMethod not recognized as taint source

There are various frameworks used for implementing services in java.

One example is Spring RestController:

public class SQLIService {
	public void rest(@PathVariable String badvalue) {
		sqli(badvalue); // detected by javasecurity:S3649

Another example is JaxWS/J2EE @WebService:

public class SQLIService {
	public void webservice(String badvalue) {
		sqli(badvalue); // not detected by javasecurity:S3649

When using RestController the badvalue parameter is recognized as tainted value, when using WebService/WebMethod it is not.

I only tested rule S3649, but I guess other rules of the Java Security Analyzer are affected as well.

example file:
SQLIService.txt (1.2 KB)

my dependencies:
org.apache.openejb:javaee-api:6.0-6 (or any other j2ee lib)
org.springframework:spring-web:5.3.22 (any recent one should be fine)

our environment:
SonarQube Datacenter Edition 9.6.1
scan was done through the Maven Plugin, no special config, maven project only contains this single file.

1 Like

Hey Roman,

Thanks a lot for this very detailed feedback, and thanks a lot for keeping on giving feedback, that is very much appreciated :pray:

You are absolutely right that our taint-related rules do not detect vulnerabilities on JaxWS/J2EE yet. I am starting an internal discussion and creating a ticket to handle that.

Have a good day!


This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.