-
Notifications
You must be signed in to change notification settings - Fork 465
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Wrapper SQL sink method triggers SQL injection detection #722
Comments
Interprocedural analysis are not in scope right now. SpotBugs and FindSecBugs are not doing call graph. Taint analysis is only applied at the function level. |
I am not asking for interprocedural analysis. The method calls should be treated according to how the method has been marked. I am asking for it to respect how both the caller and the called method have been annotated. When the SQL has not been manipulated in a calling method with the same annotated taint requirements as the method it calls, this should not itself trigger a warning. |
Can you provide the file/class and line number where each are found? I am not sure I understand what is the false positive. This line looks like it should be flagged as a new sink instruct to be used. var result = sqlHelper.executeQuery(connection, command); I am not sure where the second finding is occuring. |
The following issue is incorrectly detected:
It is triggered by the body of this method in SQLHelper.java: public default List<Map<String, Object>> executeQuery(Connection connection, String command) throws SQLException {
return executeQuery(connection, command, Collections.emptyMap());
} But both the method and the calling method have the
Given that it just passes the value though, it shouldn't trigger its own warning. |
Environment
SpotBugs Eclipse plugin: SpotBugs 4.8.4.202401211731-1e2b791 com.github.spotbugs.plugin.eclipse
FindSecBugs plugin: findsecbugs-plugin-1.12.0.jar
Eclipse running in Java 21
Problem
A wrapper method configured as a custom SQL sink that simply calls another method vulnerable to SQL injection should not itself trigger detection of a SQL injection bug.
Code
Suppose we have the following simple utility:
And the following added via -Dfindsecbugs.injection.customconfigfile.SqlInjectionDetector=custom.txt:
This simple unit test will trigger an expected bug detection:
Here is the issue detected:
But the following issue is incorrectly detected as well:
Such a wrapper method should not trigger the detection. Simply passing the value on (unmodified) to another method requiring an untainted string should not trigger any problem.
The text was updated successfully, but these errors were encountered: