Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inconsistency in SQL_INJECTION_JPA Rule: Discrepancy in Violation Reporting with Nested Class #718

Open
soyodream opened this issue Dec 18, 2023 · 0 comments
Open

Inconsistency in SQL_INJECTION_JPA Rule: Discrepancy in Violation Reporting with Nested Class #718

soyodream opened this issue Dec 18, 2023 · 0 comments
Labels
false-negative Something that we have miss.

Comments

@soyodream
Copy link

Environment

Component Version
Java 11.0.19
FindSecBugs 1.12.0

Problem

I have identified an inconsistency in the detection behavior of the SQL_INJECTION_JPA rule in find-sec-bugs. In the first code case, the rule correctly reports a violation at line 14. However, when introducing a nested class, as shown in the second code case, the rule fails to report the violation at the same location. This behavior is inconsistent.

Code

code1

import javax.persistence.Entity;
import javax.persistence.EntityManager;
import javax.persistence.Id;
import javax.persistence.Query;

public class EnumUseInSql {
   EntityManager entityManager;
   private String prepareQuery(Enum someEnum) {
       String sql = " ... some SQL... " + someEnum.toString();
       return sql;
   }
   public void doSQL(SomeEnum value) {
       Query q = entityManager.createNativeQuery(
               prepareQuery(value),    //report a violation
               UserEntity.class);
   }
}

@Entity
class UserEntity {
   @Id private Long id;
   public Long getId() {
       return id;
   }
   public void setId(Long id) {
       this.id = id;
   }
}

enum SomeEnum {
   A("a"),
   B("b");
   private final String someName;
   SomeEnum(String someName) {
       this.someName = someName;
   }
   public String toString() {
       return someName;
   }
}

code2

import javax.persistence.Entity;
import javax.persistence.EntityManager;
import javax.persistence.Id;
import javax.persistence.Query;

public class EnumUseInSql {
   EntityManager entityManager;
   private String prepareQuery(Enum someEnum) {
       String sql = " ... some SQL... " + someEnum.toString();
       return sql;
   }
   Object anonWrap =
           new Object() {
               public void doSQL(SomeEnum value) {
                   Query q = entityManager.createNativeQuery(
                           prepareQuery(value),    //does not report a violation
                           UserEntity.class);
               }
           };
}

@Entity
class UserEntity {
   @Id private Long id;
   public Long getId() {
       return id;
   }
   public void setId(Long id) {
       this.id = id;
   }
}

enum SomeEnum {
   A("a"),
   B("b");
   private final String someName;
   SomeEnum(String someName) {
       this.someName = someName;
   }
   public String toString() {
       return someName;
   }
}
@h3xstream h3xstream added the false-negative Something that we have miss. label Feb 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
false-negative Something that we have miss.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@h3xstream @soyodream