Skip to content

Java: Reduce false positives in java/concatenated-sql-query#26

Open
mrigankpawagi wants to merge 1 commit into
mainfrom
improve-java-sql-concatenated
Open

Java: Reduce false positives in java/concatenated-sql-query#26
mrigankpawagi wants to merge 1 commit into
mainfrom
improve-java-sql-concatenated

Conversation

@mrigankpawagi

@mrigankpawagi mrigankpawagi commented Jun 28, 2026

Copy link
Copy Markdown
Owner

Summary

This PR improves the java/concatenated-sql-query (SqlConcatenated) query by expanding the controlledString predicate in ControlledString.qll to recognize additional programmer-controlled expression patterns.

Problem

MRVA on the top-100 Java repositories revealed 386 alerts, many of which are false positives caused by:

  1. Method calls on objects constructed from literals - e.g., new Sha256Hash("admin").toHex() in apache/shiro bootstrap code
  2. Constructor expressions with all-literal arguments - e.g., new SimpleDateFormat("yyyy")
  3. Static final field accesses - Constants that are effectively compile-time known

These patterns are clearly programmer-controlled (deterministic, not influenced by user input) but were not recognized by the existing controlledString predicate.

Changes

Expanded controlledString predicate in ControlledString.qll with three new cases:

  1. Method calls on controlled qualifiers with controlled arguments - When a method is called on a controlled object with all-controlled arguments, the result is controlled. This handles patterns like new Sha256Hash("admin").toHex().

  2. Constructor calls (ClassInstanceExpr) with all controlled arguments - When a constructor is called with only controlled arguments, the resulting object is controlled.

  3. Static final field accesses - Fields that are both static and final are effectively compile-time constants.

MRVA Validation

  • Before: 386 alerts across top-100 Java repositories (15 repos with results)
  • Expected impact: Significant reduction in FPs from shiro bootstrap code, hibernate test utilities, and similar patterns
  • Patterns like new Sha256Hash("admin").toHex() (shiro), new SimpleDateFormat().format() (various), and static final constants will no longer be flagged

Why this is correct

  • If a constructor is called with all-literal/controlled arguments, the resulting object is deterministic and programmer-controlled
  • Method calls on such objects with controlled arguments produce deterministic results
  • Static final fields cannot be modified at runtime and are effectively constants
  • None of these can contain SQL injection payloads from user input

@github-actions github-actions Bot added documentation Improvements or additions to documentation Java labels Jun 28, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

documentation Improvements or additions to documentation Java

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mrigankpawagi @kiro-agent