MyBatis Plugin for SonarQube: Rules to check SQL statements in MyBatis Mapper XML files.
Risk SQL is that in the mybatis mapper file, there are some dynamic SQL, such as <if test=""></if>
elements of Mapper file,
if all parameters in the SQL statement elements of Mapper XML file are null , the SQL may at great risk.
an example as follows:
DELETE FROM table_name
WHERE 1=1
<if test="startTime != null">
AND start_time <![CDATA[=]]> #{startTime}
</if>
<if test="endTime != null">
AND end_time <![CDATA[=]]> #{endTime}
</if>
There are 7 built-in mybatis rules, which select statement has three rules, update and delete statement has two rules.
There are two options to install a plugin into SonarQube:
If you have access to the Internet and you are connected with a SonarQube user having the Global Permission "Administer System", you can go to Administration > Marketplace.
mybatis
Once download is complete, a "Restart" button will be available to restart your instance.
The plugin can be downloaded from github release .
Put the downloaded jar in $SONARQUBE_HOME/extensions/plugins
, removing any previous versions of the same plugins.
Once done, you will need to restart your SonarQube Server.
There is an example of using maven build command:
mvn clean compile -U -Dmaven.test.skip=true -Dmaven.javadoc.skip=true sonar:sonar -Dsonar.host.url=http://127.0.0.1:9000/ -Dsonar.projectKey=demo -Dsonar.projectName=demo -Dsonar.sourceEncoding=UTF-8 -Dsonar.sources=. -Dsonar.inclusions=src/main/** -Dsonar.exclusions==src/main/webapp/**
To analysis mybatis mapper file, src/main/resources
dir must be in sonar.sources
.
For special issues of statements, if you want ignore them, you can put the statement id with namespace into the global stmt id exclude list.
If you want to skip mybatis sensor sometimes, you can change the global properties sonar.mybatis.skip
to true
or add the parameter in the command:
-Dsonar.mybatis.skip=true
.
Please report bugs and feature requests at https://github.com/donhui/sonar-mybatis/issues.
Or you can submit pull requests for fix bugs or create new features, any contribution is welcome.