Giters

find-sec-bugs / find-sec-bugs

The SpotBugs plugin for security audits of Java web applications and Android applications. (Also work with Kotlin, Groovy and Scala projects)

Home Page:https://find-sec-bugs.github.io/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Inconsistency in SQL_INJECTION_JPA Rule: Discrepancy in Violation Reporting with Nested Class

soyodream opened this issue · comments

commented

Environment

Component Version
Java 11.0.19
FindSecBugs 1.12.0

Problem

I have identified an inconsistency in the detection behavior of the SQL_INJECTION_JPA rule in find-sec-bugs. In the first code case, the rule correctly reports a violation at line 14. However, when introducing a nested class, as shown in the second code case, the rule fails to report the violation at the same location. This behavior is inconsistent.

Code

code1

import javax.persistence.Entity;
import javax.persistence.EntityManager;
import javax.persistence.Id;
import javax.persistence.Query;

public class EnumUseInSql {
   EntityManager entityManager;
   private String prepareQuery(Enum someEnum) {
       String sql = " ... some SQL... " + someEnum.toString();
       return sql;
   }
   public void doSQL(SomeEnum value) {
       Query q = entityManager.createNativeQuery(
               prepareQuery(value),    //report a violation
               UserEntity.class);
   }
}

@Entity
class UserEntity {
   @Id private Long id;
   public Long getId() {
       return id;
   }
   public void setId(Long id) {
       this.id = id;
   }
}

enum SomeEnum {
   A("a"),
   B("b");
   private final String someName;
   SomeEnum(String someName) {
       this.someName = someName;
   }
   public String toString() {
       return someName;
   }
}

code2

import javax.persistence.Entity;
import javax.persistence.EntityManager;
import javax.persistence.Id;
import javax.persistence.Query;

public class EnumUseInSql {
   EntityManager entityManager;
   private String prepareQuery(Enum someEnum) {
       String sql = " ... some SQL... " + someEnum.toString();
       return sql;
   }
   Object anonWrap =
           new Object() {
               public void doSQL(SomeEnum value) {
                   Query q = entityManager.createNativeQuery(
                           prepareQuery(value),    //does not report a violation
                           UserEntity.class);
               }
           };
}

@Entity
class UserEntity {
   @Id private Long id;
   public Long getId() {
       return id;
   }
   public void setId(Long id) {
       this.id = id;
   }
}

enum SomeEnum {
   A("a"),
   B("b");
   private final String someName;
   SomeEnum(String someName) {
       this.someName = someName;
   }
   public String toString() {
       return someName;
   }
}