SQL injection using PMD

Question

I am stuck with a situation where FindBugs couldn't able to detect SQL injection in my project. The project contains multiple-repo with gradle. Is there any way I can identify with the help of PMD? Or if you have any alternative please suggest me.

Answer 1

Just so we are all on the same page:

It is impossible for a tool like PMD to find all SQL injection errors.

Tools can spot some obviously wrong patterns, but you will not get help above what you can do by hand, by simply searching all your codebase (using grep or an IDE) for strings containing "SELECT", "INSERT" and "UPDATE" and making sure they are not built using concatenation.

The value of PMD and such is not in the intelligence, but to the contrary: their stupid, small-minded stubbornness and insistence that certain patterns are avoided "just in case".

Answer 2

Do you already have added Find Security Bugs? If not you should, because it could detect some more security risks - also some SQL injection risks. Btw. you should no longer use FindBugs, use its successor SpotBugs - the above plugin works also fine with SpotBugs.

Answer 3

SQL injection is mostly vul. for your login portal and links open with ?id or something like that, and I guess you don't need any tool get it patch in Java. Sql-Injection & Blind SQL both attack cause due to careless code implementation with JDBC.

Quick fix will be, update all of your existing db call with PrepareStatement and if you have open URL for ID then apply proper encp/decp on that.