Enhance and merge sast-rule java/inject/rule-CustomInjectionSQLString.yml with java/inject/rule-SqlInjection.yml
We removed this rule as it was deemed to generate too many false positives, before reintroducing an enhanced version in #437665 (closed).
There is potential to further enhance it:
- Instead of allowing logger-like-looking calls, explicitly test that a SQL sink is being called with the constructor string
- Test that the concatenated variable is of type
String
and a parameter to a public method, and not the result of some other method which might return safe values (eg. loaded from configuration).
Moreover, this rule significantly overlaps with java/inject/rule-SqlInjection.yml
: both should be merged into one.
Edited by Dinesh Bolkensteyn