SonarSource · github-actions · Oct 24, 2025 · Oct 24, 2025 · Oct 24, 2025
diff --git a/rules/S8225/java/metadata.json b/rules/S8225/java/metadata.json
@@ -0,0 +1,31 @@
+{
+  "title": "Date parameters in database operations should use proper types and PreparedStatement methods",
+  "type": "VULNERABILITY",
+  "status": "ready",
+  "remediation": {
+    "func": "Constant/Issue",
+    "constantCost": "10 min"
+  },
+  "tags": [
+    "sql",
+    "database",
+    "injection",
+    "jdbc"
+  ],
+  "defaultSeverity": "Blocker",
+  "ruleSpecification": "RSPEC-8225",
+  "sqKey": "S8225",
+  "scope": "Main",
+  "defaultQualityProfiles": [
+    "Sonar way"
+  ],
+  "quickfix": "unknown",
+  "code": {
+    "impacts": {
+      "SECURITY": "BLOCKER",
+      "RELIABILITY": "BLOCKER",
+      "MAINTAINABILITY": "HIGH"
+    },
+    "attribute": "CONVENTIONAL"
+  }
+}
diff --git a/rules/S8225/java/rule.adoc b/rules/S8225/java/rule.adoc
@@ -0,0 +1,52 @@
+This rule raises an issue when date or datetime values are inserted into databases using string concatenation in SQL queries or when using `setString()` method with PreparedStatement for date parameters.
+
+== Why is this an issue?
+
+Using string operations for date values in database operations creates data integrity problems.
+
+String-based date handling bypasses proper type validation. When dates are treated as strings, invalid date values can reach the database without validation, potentially causing silent data corruption or insertion failures.
+
+Using `setString()` for date parameters defeats the type safety that PreparedStatement provides. The JDBC driver cannot validate that the string represents a valid date, allowing malformed data to pass through.
+
+PreparedStatement offers proper type-safe methods for date handling: `setDate()` for SQL DATE columns, `setTime()` for SQL TIME columns, and `setTimestamp()` for SQL TIMESTAMP columns. These methods ensure proper validation and type conversion.
+
+=== What is the potential impact?
+
+Data integrity issues may result in incorrect date storage, leading to business logic errors, reporting inaccuracies, or application failures when processing date-based operations. Invalid dates may be silently accepted, causing downstream processing problems.
+
+== How to fix it
+
+Parse and validate date strings using java.sql.Date for database operations using setDate().
+
+=== Code examples
+
+==== Noncompliant code example
+
+[source,java,diff-id=1,diff-type=noncompliant]
+----
+String dateStr = "2010-05-01";
+PreparedStatement pstmt = connection.prepareStatement("INSERT INTO events (event_date) VALUES (?)");
+pstmt.setString(1, dateStr); // Noncompliant
+pstmt.executeUpdate();
+----
+
+==== Compliant solution
+
+[source,java,diff-id=1,diff-type=compliant]
+----
+String dateStr = "2010-05-01";
+java.sql.Date sqlDate = java.sql.Date.valueOf(dateStr);
+PreparedStatement pstmt = connection.prepareStatement("INSERT INTO events (event_date) VALUES (?)");
+pstmt.setDate(1, sqlDate);
+pstmt.executeUpdate();
+----
+
+== Resources
+
+=== Documentation
+
+ * Java SE Documentation - java.sql.PreparedStatement - https://docs.oracle.com/en/java/javase/11/docs/api/java.sql/java/sql/PreparedStatement.html[Complete API documentation for PreparedStatement methods including date setters]
+
+ * Java SE Documentation - java.sql.Date - https://docs.oracle.com/en/java/javase/11/docs/api/java.sql/java/sql/Date.html[Documentation for java.sql.Date class used for SQL DATE values]
+
+ * Java SE Documentation - LocalDate - https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/time/LocalDate.html[Modern Java API for date handling without time zone information]
diff --git a/rules/S8225/metadata.json b/rules/S8225/metadata.json
@@ -0,0 +1,2 @@
+{
+}