[S2077] Values passed to SQL commands should be sanitized : false positive ?

987 views
Skip to first unread message

Dominique Jean-Prost

unread,
Sep 1, 2015, 10:52:33 AM9/1/15
to SonarQube
Hello,

The rule S2077 shows to my mind a false positive with such a code :

private static final String LOAD_CG = " cg.CGID, cg.CGLib, cg.CGValide, cg.CieID, cg.CatAgtCNR, cg.CGVer, cg.Portefeuille ";


    protected ConditionsGeneralesStateHolder findConditionsGeneralesByContratPK(final ContratPK contratPK, final Connection connexion) {

   
      PreparedStatement select = null;

      ResultSet resultat = null

      ConditionsGeneralesStateHolder cgsh = null;

      try {

       select = connexion.prepareStatement("SELECT " + ConditionsGeneralesDAO.LOAD_CG + " from cg where cgid in (select ctra.cgid from ctra where ctraid= ?)");
...


Sonar says : "" is provided externally to the method and not sanitized before use. In this case, the constant LOAD_CG doesn't need to be sanitized, do it ?

What do you think of it ?
thank you.

Nicolas Peru

unread,
Sep 1, 2015, 11:17:12 AM9/1/15
to Dominique Jean-Prost, SonarQube
Hi, 

Can you precise which version of the java plugin is raising the issue ? 

Thanks.

Nicolas PERU | SonarSource
Senior Developer
http://sonarsource.com


--
You received this message because you are subscribed to the Google Groups "SonarQube" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonarqube+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/5b47010d-8a77-4910-a4b0-99c9de7af2d7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Dominique Jean-Prost

unread,
Sep 2, 2015, 2:53:07 AM9/2/15
to SonarQube, djean...@gmail.com
Hello Nicolas,

Java plugin version 3.5 raises this issue. Previous version did too to my mind.
Dominique

Michael Gumowski

unread,
Oct 7, 2015, 4:07:26 AM10/7/15
to Dominique Jean-Prost, SonarQube
Hello,

Sorry for the late answer. This is indeed a FP and we should not raise an issue. Thank you for your feedback!
I just created the JIRA ticket to handle the issue: https://jira.sonarsource.com/browse/SONARJAVA-1323

Cheers,

Michael GUMOWSKI | SonarSource
Software Developer @ Language Team
http://sonarsource.com

--
You received this message because you are subscribed to the Google Groups "SonarQube" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonarqube+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/a85189a6-fac2-4e10-93ef-f448fcbd58c1%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages