Why is 'aTaintCase0158' considered a taint case?

[XuHuo]

AstTaintCase001.java case0158

[CC11001100]

aTaintCase0158 code:

    @PostMapping(value = "case0158")
    public Map<String, Object> aTaintCase0158(@RequestParam String cmd) {
        Map<String, Object> modelMap = new HashMap<>();
        try {
            cmd= "ls";
            Runtime.getRuntime().exec(cmd);
            modelMap.put("status", "success");
        } catch (Exception e) {
            modelMap.put("status", "error");
        }
        return modelMap;
    }

One scenario used to test risk release, for example, for a detection engine that does not detect assignment operations, it will consider the taint propagation process of this case: It will detect a vulnerability, but in reality, this assignment operation:

cmd= "ls";

When assigning the constant string "ls" to the variable cmd, it is equivalent to releasing the tainted variable cmd once, which falls under context-sensitive detection. So, the actual propagation process: In summary, for this case, the scanner may yield two types of results:

• It can identify the assignment of literal constant values to tainted variables and recognize that this is not a vulnerability.
• It may fail to recognize the risk associated with such assignment and flag it as a vulnerability, leading to a false positive.

This case is designed to differentiate between these two scenarios.

[XuHuo]

Thank you for your answer. I understand now, this is a point that should not be reported. I made a mistake, I thought the "AstTaintCase001.java" file was filled with points that should be reported.