Some tools are apparently tripping up on the fact that l is declared as a List rather than a List<String>, i.e., they fail to track the full type of the list object that l points to. This failure has nothing to do with the intent of the pattern and should be tested for in a separate pattern, but not here.
In other tools, this failure could be masked, if they assume that toString() propagates taint for all objects.
There are also other patterns/instances that have the same problem, but I did not bother to review them all. Candidates:
102_collection_taint_propagation, 24_arraylist
Testability pattern
Consider 103_arrays_aslist:
https://github.com/testable-eu/sast-testability-patterns/blob/9691405cba238f6b861659ec40416724246a8715/JAVA/103_arrays_aslist/1_instance_103_arrays_aslist/src/QuickServlet.java#L11-L14
Problem statement
Some tools are apparently tripping up on the fact that
lis declared as aListrather than aList<String>, i.e., they fail to track the full type of the list object thatlpoints to. This failure has nothing to do with the intent of the pattern and should be tested for in a separate pattern, but not here.In other tools, this failure could be masked, if they assume that
toString()propagates taint for all objects.There are also other patterns/instances that have the same problem, but I did not bother to review them all. Candidates: 102_collection_taint_propagation, 24_arraylist
Proposed changes
Other