Page History

...

Failure to sanitize user input before processing or storing it can result in injection attacks.

Rule	Severity	Likelihood	Detectable	RepairableRemediation Cost	Priority	Level
IDS00-J	High	Likely	YesProbable	MediumNo	P12P18	L1

Automated Detection

Tool

Version

Checker

Description

The Checker Framework

Include Page

	The Checker Framework_V
	The Checker Framework_V

Tainting Checker

Trust and security errors (see Chapter 8)

CodeSonar

Include Page

	CodeSonar_V
	CodeSonar_V

JAVA.IO.INJ.SQL

SQL Injection (Java)injection

Coverity

7.5

SQLI
FB.SQL_PREPARED_STATEMENT_GENERATED_
FB.SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE

Implemented

Findbugs

1.0

SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE

Implemented

Fortify

1.0

HTTP_Response_Splitting
SQL_Injection__Persistence
SQL_Injection

Implemented

Klocwork

Include Page

	Klocwork_V
	Klocwork_V

SV.DATA.BOUND

SV.DATA.DB
SV.HTTP_SPLITSQL
SV.PATH
SV.PATH.INJ
SV.SQLSQL.DBSOURCE

Implemented

Parasoft Jtest

Include Page

	Parasoft_V
	Parasoft_V

CERT.IDS00.TDSQL

Protect against SQL injection

SonarQube

Include Page

	SonarQube_V
	SonarQube_V

S2077

S3649

Executing SQL queries is security-sensitive

SQL queries should not be vulnerable to injection attacks

SpotBugs

Include Page

	SpotBugs_V
	SpotBugs_V

SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE
SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING

Implemented

...

SEI CERT C Coding Standard	STR02-C. Sanitize data passed to complex subsystemsSEI CERT C++ Coding StandardVOID STR02-CPP. Sanitize data passed to complex subsystems
SEI CERT Perl Coding Standard	IDS33-PL. Sanitize untrusted data passed across a trust boundary
ISO/IEC TR 24772:2013	Injection [RST]
MITRE CWE	CWE-116, Improper Encoding or Escaping of Output

...

Space shortcuts

Page tree

Versions Compared

Old Version 206

New Version Current

Key

Automated Detection