ejohn20
commented
5 years ago This is likely something that can be handled in the general code block analyzer. @meadisu27 and I can take a look at this to see if this FP can be eliminated.
Open ShriShalini opened 5 years ago
ejohn20
commented
5 years ago This is likely something that can be handled in the general code block analyzer. @meadisu27 and I can take a look at this to see if this FP can be eliminated.
ShriShalini
commented
5 years ago I am stuck at this for quite some time. So any help is appreciated!
ejohn20
commented
5 years ago For now, I would recommend suppressing the false positive. We'll see if we can address this in a future release. @meadisu27 any recommendation on the best place in the code block analyzer to look at for fixing this across the board instead of in the sql expression analyzer specifically?
meadisu27
commented
5 years ago Is the issue here trying to get warnings raised on the SqlDataAdapter? As it appears the code block analyzer is correctly suppressing the warning for the SqlCommand.
Puma gives false positives at times. In the following example:
string sq = "select * from tab"; SqlCommand sqll = new SqlCommand(sq); SqlDataAdapter sqa = new SqlDataAdapter(sqll);
I tried modifying the SqlCommandInjectionObjectCreationExpressionAnalyzer.cs for detecting and raising warnings if the first argument of SqlCommand and SqlDataAdapter are tainted. So if they are tainted , diagnostics are raised properly. String "sq" in this case is not tainted. But still diagnostics are raised for SqlDataAdapter.