There are various frameworks used for implementing services in java.
One example is Spring RestController:
@RestController
@RequestMapping("api")
public class SQLIService {
@GetMapping("/{badvalue}")
public void rest(@PathVariable String badvalue) {
sqli(badvalue); // detected by javasecurity:S3649
}
Another example is JaxWS/J2EE @WebService:
@WebService
public class SQLIService {
@WebMethod
public void webservice(String badvalue) {
sqli(badvalue); // not detected by javasecurity:S3649
}
When using RestController the badvalue parameter is recognized as tainted value, when using WebService/WebMethod it is not.
I only tested rule S3649, but I guess other rules of the Java Security Analyzer are affected as well.
example file:
SQLIService.txt (1.2 KB)
my dependencies:
org.apache.openejb:javaee-api:6.0-6 (or any other j2ee lib)
org.springframework:spring-web:5.3.22 (any recent one should be fine)
our environment:
SonarQube Datacenter Edition 9.6.1
scan was done through the Maven Plugin, no special config, maven project only contains this single file.