From 400a2a6e5f11703a4e66244759bd2c74a9c6d2cf Mon Sep 17 00:00:00 2001 From: erwan-serandour Date: Fri, 24 Oct 2025 10:09:22 +0000 Subject: [PATCH 1/3] Create rule S8225 --- rules/S8225/java/metadata.json | 25 +++++++++++++++++++ rules/S8225/java/rule.adoc | 44 ++++++++++++++++++++++++++++++++++ rules/S8225/metadata.json | 2 ++ 3 files changed, 71 insertions(+) create mode 100644 rules/S8225/java/metadata.json create mode 100644 rules/S8225/java/rule.adoc create mode 100644 rules/S8225/metadata.json diff --git a/rules/S8225/java/metadata.json b/rules/S8225/java/metadata.json new file mode 100644 index 00000000000..7f13603664e --- /dev/null +++ b/rules/S8225/java/metadata.json @@ -0,0 +1,25 @@ +{ + "title": "FIXME", + "type": "CODE_SMELL", + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "5min" + }, + "tags": [ + ], + "defaultSeverity": "Major", + "ruleSpecification": "RSPEC-8225", + "sqKey": "S8225", + "scope": "All", + "defaultQualityProfiles": ["Sonar way"], + "quickfix": "unknown", + "code": { + "impacts": { + "MAINTAINABILITY": "HIGH", + "RELIABILITY": "MEDIUM", + "SECURITY": "LOW" + }, + "attribute": "CONVENTIONAL" + } +} diff --git a/rules/S8225/java/rule.adoc b/rules/S8225/java/rule.adoc new file mode 100644 index 00000000000..4172043c9d3 --- /dev/null +++ b/rules/S8225/java/rule.adoc @@ -0,0 +1,44 @@ +FIXME: add a description + +// If you want to factorize the description uncomment the following line and create the file. +//include::../description.adoc[] + +== Why is this an issue? + +FIXME: remove the unused optional headers (that are commented out) + +//=== What is the potential impact? + +== How to fix it +//== How to fix it in FRAMEWORK NAME + +=== Code examples + +==== Noncompliant code example + +[source,java,diff-id=1,diff-type=noncompliant] +---- +FIXME +---- + +==== Compliant solution + +[source,java,diff-id=1,diff-type=compliant] +---- +FIXME +---- + +//=== How does this work? + +//=== Pitfalls + +//=== Going the extra mile + + +//== Resources +//=== Documentation +//=== Articles & blog posts +//=== Conference presentations +//=== Standards +//=== External coding guidelines +//=== Benchmarks diff --git a/rules/S8225/metadata.json b/rules/S8225/metadata.json new file mode 100644 index 00000000000..2c63c085104 --- /dev/null +++ b/rules/S8225/metadata.json @@ -0,0 +1,2 @@ +{ +} From 79ea6cb4068436fd6305ee172edf6e920378d46b Mon Sep 17 00:00:00 2001 From: erwan-serandour Date: Fri, 24 Oct 2025 12:11:05 +0200 Subject: [PATCH 2/3] Update rules/S8225/java/rule.adoc in PR #5790 --- rules/S8225/java/rule.adoc | 46 ++++++++++++++++++++++---------------- 1 file changed, 27 insertions(+), 19 deletions(-) diff --git a/rules/S8225/java/rule.adoc b/rules/S8225/java/rule.adoc index 4172043c9d3..6776b55e04f 100644 --- a/rules/S8225/java/rule.adoc +++ b/rules/S8225/java/rule.adoc @@ -1,16 +1,22 @@ -FIXME: add a description - -// If you want to factorize the description uncomment the following line and create the file. -//include::../description.adoc[] +This rule raises an issue when date or datetime values are inserted into databases using string concatenation in SQL queries or when using `setString()` method with PreparedStatement for date parameters. == Why is this an issue? -FIXME: remove the unused optional headers (that are commented out) +Using string operations for date values in database operations creates data integrity problems. + +String-based date handling bypasses proper type validation. When dates are treated as strings, invalid date values can reach the database without validation, potentially causing silent data corruption or insertion failures. + +Using `setString()` for date parameters defeats the type safety that PreparedStatement provides. The JDBC driver cannot validate that the string represents a valid date, allowing malformed data to pass through. -//=== What is the potential impact? +PreparedStatement offers proper type-safe methods for date handling: `setDate()` for SQL DATE columns, `setTime()` for SQL TIME columns, and `setTimestamp()` for SQL TIMESTAMP columns. These methods ensure proper validation and type conversion. + +=== What is the potential impact? + +Data integrity issues may result in incorrect date storage, leading to business logic errors, reporting inaccuracies, or application failures when processing date-based operations. Invalid dates may be silently accepted, causing downstream processing problems. == How to fix it -//== How to fix it in FRAMEWORK NAME + +Parse and validate date strings using java.sql.Date for database operations using setDate(). === Code examples @@ -18,27 +24,29 @@ FIXME: remove the unused optional headers (that are commented out) [source,java,diff-id=1,diff-type=noncompliant] ---- -FIXME +String dateStr = "2010-05-01"; +PreparedStatement pstmt = connection.prepareStatement("INSERT INTO events (event_date) VALUES (?)"); +pstmt.setString(1, dateStr); // Noncompliant +pstmt.executeUpdate(); ---- ==== Compliant solution [source,java,diff-id=1,diff-type=compliant] ---- -FIXME +String dateStr = "2010-05-01"; +java.sql.Date sqlDate = java.sql.Date.valueOf(dateStr); +PreparedStatement pstmt = connection.prepareStatement("INSERT INTO events (event_date) VALUES (?)"); +pstmt.setDate(1, sqlDate); +pstmt.executeUpdate(); ---- -//=== How does this work? +== Resources -//=== Pitfalls +=== Documentation -//=== Going the extra mile + * Java SE Documentation - java.sql.PreparedStatement - https://docs.oracle.com/en/java/javase/11/docs/api/java.sql/java/sql/PreparedStatement.html[Complete API documentation for PreparedStatement methods including date setters] + * Java SE Documentation - java.sql.Date - https://docs.oracle.com/en/java/javase/11/docs/api/java.sql/java/sql/Date.html[Documentation for java.sql.Date class used for SQL DATE values] -//== Resources -//=== Documentation -//=== Articles & blog posts -//=== Conference presentations -//=== Standards -//=== External coding guidelines -//=== Benchmarks + * Java SE Documentation - LocalDate - https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/time/LocalDate.html[Modern Java API for date handling without time zone information] From a5ad1eb34ae8366f7b853ce202b7d288d9e100b7 Mon Sep 17 00:00:00 2001 From: erwan-serandour Date: Fri, 24 Oct 2025 12:11:09 +0200 Subject: [PATCH 3/3] Update rules/S8225/java/metadata.json in PR #5790 --- rules/S8225/java/metadata.json | 28 +++++++++++++++++----------- 1 file changed, 17 insertions(+), 11 deletions(-) diff --git a/rules/S8225/java/metadata.json b/rules/S8225/java/metadata.json index 7f13603664e..0a0525a5c1d 100644 --- a/rules/S8225/java/metadata.json +++ b/rules/S8225/java/metadata.json @@ -1,25 +1,31 @@ { - "title": "FIXME", - "type": "CODE_SMELL", + "title": "Date parameters in database operations should use proper types and PreparedStatement methods", + "type": "VULNERABILITY", "status": "ready", "remediation": { - "func": "Constant\/Issue", - "constantCost": "5min" + "func": "Constant/Issue", + "constantCost": "10 min" }, "tags": [ + "sql", + "database", + "injection", + "jdbc" ], - "defaultSeverity": "Major", + "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-8225", "sqKey": "S8225", - "scope": "All", - "defaultQualityProfiles": ["Sonar way"], + "scope": "Main", + "defaultQualityProfiles": [ + "Sonar way" + ], "quickfix": "unknown", "code": { "impacts": { - "MAINTAINABILITY": "HIGH", - "RELIABILITY": "MEDIUM", - "SECURITY": "LOW" + "SECURITY": "BLOCKER", + "RELIABILITY": "BLOCKER", + "MAINTAINABILITY": "HIGH" }, "attribute": "CONVENTIONAL" } -} +} \ No newline at end of file