Detect SQL injection as part of OWASP Top Ten recipe

[aman-pebicloud]

What version of OpenRewrite are you using?

I am using

• OpenRewrite v5.35.0
• Maven/Gradle plugin v5.35.0
• rewrite-java-security v2.10.3

How are you running OpenRewrite?

I am using the Maven plugin, and my project is a single module project.

            <plugin>
                <groupId>org.openrewrite.maven</groupId>
                <artifactId>rewrite-maven-plugin</artifactId>
                <version>5.35.0</version>
                <configuration>
                    <activeRecipes>
                        <recipe>org.openrewrite.java.security.OwaspTopTen</recipe>
                    </activeRecipes>
                </configuration>
                <dependencies>
                    <dependency>
                        <groupId>org.openrewrite.recipe</groupId>
                        <artifactId>rewrite-java-security</artifactId>
                        <version>2.10.3</version>
                    </dependency>
                </dependencies>
            </plugin>

mvn rewrite:run

What is the smallest, simplest way to reproduce the problem?

I've a SQL injection vulnerability in my code snippet and it doesn't get fixed by org.openrewrite.java.security.OwaspTopTen recipe.

public void vulnerableMethod(String userInput) {
        try (Connection connection = DriverManager.getConnection("jdbc:mysql://localhost:3306/mydb", "user", "password")) {
            Statement statement = connection.createStatement();
            String query = "SELECT * FROM users WHERE username = '" + userInput + "'";
            ResultSet resultSet = statement.executeQuery(query);

            while (resultSet.next()) {
                System.out.println("User: " + resultSet.getString("username"));
            }
        } catch (Exception e) {
            e.printStackTrace();
        }
    }

What did you expect to see?

I expect the vulnerable code to be detected and corrected by rewrite.

What did you see instead?

The vulnerability didn't get detected

What is the full stack trace of any errors you encountered?

No errors.

What am I looking for?

If this is an issue, please address this. Can I see some examples where this recipe is used and try to validate this working.

[timtebeek]

Hi @aman-pebicloud ; the owasp top ten recipe is a composite of other recipes. In your case you're probably looking to add a detection & correction recipe to rewrite-sql first, before including that in owasp top ten. I'll move this issue accordingly.

[aman-pebicloud]

My bad, I wanted to post in rewrite-java-security, somehow landed here. Thanks for moving it.