Which methods are considered Sinks for your SQL Injection rules for Java?
411 views
Skip to first unread message
dave.w...@owasp.org
May 24, 2016, 10:32:36 AM5/24/16
to SonarQube
Is there a way to get the list of methods that SonarQube considers SQL
sinks for your SQL injection rules? For example, are the rules open
source?
I'm asking because I'm reviewing a Java app using the Spring Framework which is being monitored by SonarQube and SonarQube is not finding what looks like blatant potential SQL injection issues when the SQL is passed to SpringFramework JdbcTemplate SQL methods.
For example:
org.springframework.jdbc.core.JdbcTemplate template;
public someMethod(String name) {
jdbcTemplate.queryForObject( "select * from FOO where bar = '" + name + "');
...
There are a crap ton of methods in the jdbcTemplate class that accept SQL and it would be awesome if there was some public list of methods SonarQube support in that class so I can make sure the methods I'm using are covered. Or it would be good to know that this class is NOT covered by SonarQube at all.
Thanks, Dave
I'm asking because I'm reviewing a Java app using the Spring Framework which is being monitored by SonarQube and SonarQube is not finding what looks like blatant potential SQL injection issues when the SQL is passed to SpringFramework JdbcTemplate SQL methods.
For example:
org.springframework.jdbc.core.JdbcTemplate template;
public someMethod(String name) {
jdbcTemplate.queryForObject( "select * from FOO where bar = '" + name + "');
...
There are a crap ton of methods in the jdbcTemplate class that accept SQL and it would be awesome if there was some public list of methods SonarQube support in that class so I can make sure the methods I'm using are covered. Or it would be good to know that this class is NOT covered by SonarQube at all.
Thanks, Dave
Nicolas Peru
May 24, 2016, 10:42:40 AM5/24/16
to dave.w...@owasp.org, SonarQube
Hi,
All the java plugin is open source and sources are available on github : The check you are talking about is this one : https://github.com/SonarSource/sonar-java/blob/master/java-checks/src/main/java/org/sonar/java/checks/SQLInjectionCheck.java
And from there you can easily see that we are checking things with a white list approach on a bunch of specific methods which does not includes jdbcTemplate
Cheers,
--
You received this message because you are subscribed to the Google Groups "SonarQube" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonarqube+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/a4b14307-0372-4c2d-9795-de0e2a4a5347%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
dave.w...@owasp.org
May 24, 2016, 12:46:46 PM5/24/16
to SonarQube, dave.w...@owasp.org
Thanks Nicolas! How do I request that the MANY SQL methods from this library/class be added to this SonarQube rule? Given that the SpringFramework is so popular, I'm surprised that its not supported already ...
-Dave
-Dave
Nicolas Peru
May 25, 2016, 8:53:30 AM5/25/16
to dave.w...@owasp.org, SonarQube
Hi Dave,
Well this is the perfect place to ask for such kind of improvements ! :)
Would you mind detailing precisely which method(s) defined on which type(s) you would like to see supported ?
Cheers,
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/f4ee39fd-bb03-41ef-90b1-14a8a55e05c1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
dave.w...@owasp.org
May 25, 2016, 10:48:38 AM5/25/16
to SonarQube, dave.w...@owasp.org
Practically every method in that class that allows you to perform a query by passing in a string with the query in it should be on that list. Its too many to list. I think its several dozen and it should be pretty easy for you to figure out.
Do you want me to open a JIRA ticket for this? Can I do that? Or can you do it for me?
Thanks, Dave
Do you want me to open a JIRA ticket for this? Can I do that? Or can you do it for me?
Thanks, Dave
dave.w...@owasp.org
May 26, 2016, 2:38:49 PM5/26/16
to SonarQube, dave.w...@owasp.org
I believe the find-sec-bugs project already handles all this properly and you can leverage the work this project has already done in this area. They've already documented all the SQL Injection sinks in Spring here: https://github.com/find-sec-bugs/find-sec-bugs/blob/master/plugin/src/main/resources/injection-sinks/sql-spring.txt
I haven't vetted this list but suspect its accurate.
In fact, I'd encourage SonarSource to go through all the SINKS this project has documented (https://github.com/find-sec-bugs/find-sec-bugs/tree/master/plugin/src/main/resources/injection-sinks) and make sure you cover ALL of them. For SQL injection specifically, make sure cover everything in the 5 SQL sink files that this project already has.
When you create a JIRA for this, can you send me a note with the ticket link so I can track progress on this?
Thanks, Dave
I haven't vetted this list but suspect its accurate.
In fact, I'd encourage SonarSource to go through all the SINKS this project has documented (https://github.com/find-sec-bugs/find-sec-bugs/tree/master/plugin/src/main/resources/injection-sinks) and make sure you cover ALL of them. For SQL injection specifically, make sure cover everything in the 5 SQL sink files that this project already has.
When you create a JIRA for this, can you send me a note with the ticket link so I can track progress on this?
Thanks, Dave
Michael Gumowski
Jun 2, 2016, 10:40:45 AM6/2/16
to Dave Wichers, SonarQube
Hello Dave,
Thanks for the links to all these possible sinks from find-sec-bugs.
I created the following JIRA ticket in order to increase our coverage and target the spring framework as well: https://jira.sonarsource.com/browse/SONARJAVA-1709
We will surely have a look to all the other potential sources of trouble while working on the ticket.
Regards,
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/5c9c2c04-145f-4941-85a8-8fd9d7075aff%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages