DodgyCodeException
Reputation: 6123
SonarQube false positive SQL injection
I have a query whose exact value depends on several input parameters. It looks a bit like this:
final String otherColumns = includeExtras ? ", baz" : "";
final String otherRestriction = name.equals("fred") ? " and bar = baz" : "";
PreparedStatement stmt = conn.prepareStatement(
"select foo, bar" + otherColumns + "from t where x = y" + otherRestriction);
SonarQube reports that this is vulnerable to SQL injection, but in fact it is obvious that all "injections" come from source code and not directly from parameters, therefore there is no vulnerability.
Is there a flag or setting to get SonarQube to spend more time doing data flow analysis so that it can see that there is no vulnerability here?
Upvotes: 1
Views: 1040
Answers (1)
Djordje Nedovic
Reputation: 765
SQL injection rule was raised because you don't use Parameterized Query.
Here you can find more details about it.
Upvotes: 1
Related Questions
- Avoiding SQL injection in java
- How to comply with Sonar's rule "SQL binding mechanisms should be used"
- Sonarqube indicates violation of csharpsquid:S3649 - User-provided values should be sanitized before use in SQL statements
- JAVA - Possible SQL Injection
- SonarQube not able to insert into MySql database
- SonarQube nonconstant String in SQL statements
- Analysis fails on SonarQube 4.1 with java.sql.SQLException but succeeds on 4.5
- Sonarqube throws JDBCError with MySQL
- Sonar PreparedStatement - sql injection
- Stop sql injection