Inconsistency in COMMAND_INJECTION Rule: Discrepancy in Violation Reporting with Nested Class
soyodream opened this issue · comments
soyodream commented
Environment
Component | Version |
---|---|
Java | 11.0.19 |
FindSecBugs | 1.12.0 |
Problem
I have encountered an inconsistency in the detection behavior of the COMMAND_INJECTION
rule in find-sec-bugs. In the first code case, the rule reports two Buginstances. However, when introducing a nested class, as shown in the second code case, the rule only reports one Buginstance. This behavior seems inconsistent.
Code
code1
class MoreMethods{
public static HttpServletRequest req;
public static String tainted() {
return req.getParameter("input");
}
public String safe() {
return "safe";
}
}
class SubClass extends MoreMethods {
HttpServletRequest req;
public void method() throws IOException {
Runtime.getRuntime().exec(safe());
Runtime.getRuntime().exec(tainted());
}
}
code2
class MoreMethods{
public static HttpServletRequest req;
public static String tainted() {
return req.getParameter("input");
}
public String safe() {
return "safe";
}
}
class SubClass extends MoreMethods {
HttpServletRequest req;
class SubClass655 {
public void method() throws IOException {
Runtime.getRuntime().exec(safe());
Runtime.getRuntime().exec(tainted());
}
}
}