SonarSource Rules
  • Products

    In-IDE

    Code Quality and Security in your IDE with SonarQube Ide

    IDE extension that lets you fix coding issues before they exist!

    Discover SonarQube for IDE

    SaaS

    Code Quality and Security in the cloud with SonarQube Cloud

    Setup is effortless and analysis is automatic for most languages

    Discover SonarQube Cloud

    Self-Hosted

    Code Quality and Security Self-Hosted with SonarQube Server

    Fast, accurate analysis; enterprise scalability

    Discover SonarQube Server
  • SecretsSecrets
  • ABAPABAP
  • AnsibleAnsible
  • ApexApex
  • AzureResourceManagerAzureResourceManager
  • CC
  • C#C#
  • C++C++
  • CloudFormationCloudFormation
  • COBOLCOBOL
  • CSSCSS
  • DartDart
  • DockerDocker
  • FlexFlex
  • GitHub ActionsGitHub Actions
  • GoGo
  • HTMLHTML
  • JavaJava
  • JavaScriptJavaScript
  • JSONJSON
  • JCLJCL
  • KotlinKotlin
  • KubernetesKubernetes
  • Objective CObjective C
  • PHPPHP
  • PL/IPL/I
  • PL/SQLPL/SQL
  • PythonPython
  • RPGRPG
  • RubyRuby
  • RustRust
  • ScalaScala
  • ShellShell
  • SwiftSwift
  • TerraformTerraform
  • TextText
  • TypeScriptTypeScript
  • T-SQLT-SQL
  • VB.NETVB.NET
  • VB6VB6
  • XMLXML
  • YAMLYAML
Java

Java static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your JAVA code

  • All rules 733
  • Vulnerability60
  • Bug175
  • Security Hotspot40
  • Code Smell458

  • Quick Fix 65
 
Tags
    Impact
      Clean code attribute
        1. Processing persistent unique identifiers is security-sensitive

           Security Hotspot
        2. Exposing native code through JavaScript interfaces is security-sensitive

           Security Hotspot
        3. Hard-coded secrets are security-sensitive

           Security Hotspot
        4. Enabling file access for WebViews is security-sensitive

           Security Hotspot
        5. Enabling JavaScript support for WebViews is security-sensitive

           Security Hotspot
        6. Constructing arguments of system commands from user input is security-sensitive

           Security Hotspot
        7. Using unencrypted files in mobile applications is security-sensitive

           Security Hotspot
        8. Using biometric authentication without a cryptographic solution is security-sensitive

           Security Hotspot
        9. Using unencrypted databases in mobile applications is security-sensitive

           Security Hotspot
        10. Authorizing non-authenticated users to use keys in the Android KeyStore is security-sensitive

           Security Hotspot
        11. Using long-term access keys is security-sensitive

           Security Hotspot
        12. Using slow regular expressions is security-sensitive

           Security Hotspot
        13. Allowing user enumeration is security-sensitive

           Security Hotspot
        14. Allowing requests with excessive content length is security-sensitive

           Security Hotspot
        15. Disclosing fingerprints from web application technologies is security-sensitive

           Security Hotspot
        16. Using publicly writable directories is security-sensitive

           Security Hotspot
        17. Using clear-text protocols is security-sensitive

           Security Hotspot
        18. Accessing Android external storage is security-sensitive

           Security Hotspot
        19. Receiving intents is security-sensitive

           Security Hotspot
        20. Broadcasting intents is security-sensitive

           Security Hotspot
        21. Disabling auto-escaping in template engines is security-sensitive

           Security Hotspot
        22. Having a permissive Cross-Origin Resource Sharing policy is security-sensitive

           Security Hotspot
        23. Expanding archive files without controlling resource consumption is security-sensitive

           Security Hotspot
        24. Configuring loggers is security-sensitive

           Security Hotspot
        25. Using weak hashing algorithms is security-sensitive

           Security Hotspot
        26. Using unsafe Jackson deserialization configuration is security-sensitive

           Security Hotspot
        27. Setting JavaBean properties is security-sensitive

           Security Hotspot
        28. Delivering code in production with debug features activated is security-sensitive

           Security Hotspot
        29. Disabling CSRF protections is security-sensitive

           Security Hotspot
        30. Allowing deserialization of LDAP objects is security-sensitive

           Security Hotspot
        31. Searching OS commands in PATH is security-sensitive

           Security Hotspot
        32. Allowing both safe and unsafe HTTP methods is security-sensitive

           Security Hotspot
        33. Creating cookies without the "HttpOnly" flag is security-sensitive

           Security Hotspot
        34. Setting loose POSIX file permissions is security-sensitive

           Security Hotspot
        35. Using non-standard cryptographic algorithms is security-sensitive

           Security Hotspot
        36. Using pseudorandom number generators (PRNGs) is security-sensitive

           Security Hotspot
        37. Creating cookies without the "secure" flag is security-sensitive

           Security Hotspot
        38. Formatting SQL queries is security-sensitive

           Security Hotspot
        39. Hard-coded passwords are security-sensitive

           Security Hotspot
        40. Using hardcoded IP addresses is security-sensitive

           Security Hotspot

        Formatting SQL queries is security-sensitive

        intentionality - complete
        maintainability
        security
        Security Hotspot
        • cwe
        • spring
        • bad-practice
        • cert
        • hibernate
        • sql

        Formatted SQL queries can be difficult to maintain, debug and can increase the risk of SQL injection when concatenating untrusted values into the query. However, this rule doesn’t detect SQL injections (unlike rule S3649), the goal is only to highlight complex/formatted queries.

        Ask Yourself Whether

        • Some parts of the query come from untrusted values (like user inputs).
        • The query is repeated/duplicated in other parts of the code.
        • The application must support different types of relational databases.

        There is a risk if you answered yes to any of those questions.

        Recommended Secure Coding Practices

        • Use parameterized queries, prepared statements, or stored procedures and bind variables to SQL query parameters.
        • Consider using ORM frameworks if there is a need to have an abstract layer to access data.

        Sensitive Code Example

        public User getUser(Connection con, String user) throws SQLException {
        
          Statement stmt1 = null;
          Statement stmt2 = null;
          PreparedStatement pstmt;
          try {
            stmt1 = con.createStatement();
            ResultSet rs1 = stmt1.executeQuery("GETDATE()"); // No issue; hardcoded query
        
            stmt2 = con.createStatement();
            ResultSet rs2 = stmt2.executeQuery("select FNAME, LNAME, SSN " +
                         "from USERS where UNAME=" + user);  // Sensitive
        
            pstmt = con.prepareStatement("select FNAME, LNAME, SSN " +
                         "from USERS where UNAME=" + user);  // Sensitive
            ResultSet rs3 = pstmt.executeQuery();
        
            //...
        }
        
        public User getUserHibernate(org.hibernate.Session session, String data) {
        
          org.hibernate.Query query = session.createQuery(
                    "FROM students where fname = " + data);  // Sensitive
          // ...
        }
        

        Compliant Solution

        public User getUser(Connection con, String user) throws SQLException {
        
          Statement stmt1 = null;
          PreparedStatement pstmt = null;
          String query = "select FNAME, LNAME, SSN " +
                         "from USERS where UNAME=?"
          try {
            stmt1 = con.createStatement();
            ResultSet rs1 = stmt1.executeQuery("GETDATE()");
        
            pstmt = con.prepareStatement(query);
            pstmt.setString(1, user);  // Good; PreparedStatements escape their inputs.
            ResultSet rs2 = pstmt.executeQuery();
        
            //...
          }
        }
        
        public User getUserHibernate(org.hibernate.Session session, String data) {
        
          org.hibernate.Query query =  session.createQuery("FROM students where fname = ?");
          query = query.setParameter(0,data);  // Good; Parameter binding escapes all input
        
          org.hibernate.Query query2 =  session.createQuery("FROM students where fname = " + data); // Sensitive
          // ...
        

        See

        • OWASP - Top 10 2021 Category A3 - Injection
        • OWASP - Top 10 2017 Category A1 - Injection
        • CWE - CWE-89 - Improper Neutralization of Special Elements used in an SQL Command
        • CWE - CWE-564 - SQL Injection: Hibernate
        • CWE - CWE-20 - Improper Input Validation
        • CWE - CWE-943 - Improper Neutralization of Special Elements in Data Query Logic
        • CERT, IDS00-J. - Prevent SQL injection
        • Derived from FindSecBugs rules Potential SQL/JPQL Injection (JPA), Potential SQL/JDOQL Injection (JDO), Potential SQL/HQL Injection (Hibernate)
          Available In:
        • SonarQube IdeCatch issues on the fly,
          in your IDE
        • SonarQube CloudDetect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories
        • SonarQube Community BuildAnalyze code in your
          on-premise CI
          Available Since
          9.1
        • SonarQube ServerAnalyze code in your
          on-premise CI
          Developer Edition
          Available Since
          9.1

        © 2008-2025 SonarSource SA. All rights reserved.

        Privacy Policy | Cookie Policy | Terms of Use