The upcoming web-app security plugin is about to detect some advanced vulnerabilities by relying on taint analysis. This technique allows detection of the use of unsafe user input (source) several method calls later (can be after 5, 10, 50, 100+ calls) to do a sensitive action (sink) which can be severely impacted by the user input. As an example: SQL Injection and Path Traversal.
As-is the SonarQube UI doesn't allow such vulnerabilities to display more than the "sink". And so it won't be possible for any user to quickly get access to two important pieces of information:
- What/Where is the source?
- How does the unsafe user input flow from the source to the sink across several source files and method calls?
As a good enough solution, we suggest to just extend the current issue flow location mechanism to get the following expected behavior :
- The main issue location of each vulnerability is the sink
- The flow locations should start from the source and goes till the sink.
- When there are more than 5 flow locations (including the source and the sink), all the intermediate locations between the source and the sink should be collapsed. We expect to see in place the number of such intermediate flow locations. Moreover this number should be clickable to expand the list.
- Each flow location should contain the name of the source file (without the path) and the name of the function/method (without the parameters). Example: "Foo.java insert()"
For the time-being, we can make the assumption that each flow location is attached to a source file that is part of the SonarQube project.
When an issue spans across multiple files, the issue-box on the left panel will only show the first and last one of those files, with the first and last corresponding locations. Users have the possibility to show more by clicking on "xx more locations". Meanwhile, by selecting this issue, the focus will be on the sink, so we can directly see the issue-box on the last file. A slightly darker background indicates which file is opened by default.
After clicking on "xx more locations" the issue-box expands. The whole list of locations and files involved is now visible. Clicking on the file name or its locations will make the code viewer load this file and display it instead of the previous one.
Our usual navigation using click and alt+up/down is not impacted. Users can still use it to navigate the locations. However when navigating to the next location involves a file change, users will not see the code viewer scroll, but instead another file will be loaded in the center column.