hawkeyesec
Detecting security issues on official JDBC drivers?
I'm submitting a security report
- [x] bug report
- [ ] feature request
Describe the issue find-secbugs is detecting issues in the official Postgres JDBC drivers, in functions related to prepared statements.
What does this mean and what can one do about it?
module level offender description mitigation
-------------------------- -------- -------------------------------------------------------------------------------------------------------------------------------------------------- -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------
java-find-secbugs medium In method org.postgresql.jdbc.PgDatabaseMetaData.getColumnPrivileges(String, String, String, String) org.postgresql.jdbc.PgDatabaseMetaData.getColumnPrivileges(String, String, String, String) passes a nonconstant String to an execute or addBatch method on an SQL statement Check line(s) 1670
java-find-secbugs medium In method org.postgresql.jdbc.PgDatabaseMetaData.getColumns(String, String, String, String) org.postgresql.jdbc.PgDatabaseMetaData.getColumns(String, String, String, String) passes a nonconstant String to an execute or addBatch method on an SQL statement Check line(s) 1537
java-find-secbugs medium In method org.postgresql.jdbc.PgDatabaseMetaData.getFunctions(String, String, String) org.postgresql.jdbc.PgDatabaseMetaData.getFunctions(String, String, String) passes a nonconstant String to an execute or addBatch method on an SQL statement Check line(s) 2645
java-find-secbugs medium In method org.postgresql.jdbc.PgDatabaseMetaData.getImportedExportedKeys(String, String, String, String, String, String) org.postgresql.jdbc.PgDatabaseMetaData.getImportedExportedKeys(String, String, String, String, String, String) passes a nonconstant String to an execute or addBatch method on an SQL statement Check line(s) 2180
java-find-secbugs medium In method org.postgresql.jdbc.PgDatabaseMetaData.getIndexInfo(String, String, String, boolean, boolean) org.postgresql.jdbc.PgDatabaseMetaData.getIndexInfo(String, String, String, boolean, boolean) passes a nonconstant String to an execute or addBatch method on an SQL statement Check line(s) 2401
java-find-secbugs high In method org.postgresql.xa.PGXAConnection.commitPrepared(Xid) org.postgresql.xa.PGXAConnection.commitPrepared(Xid) passes a nonconstant String to an execute or addBatch method on an SQL statement Check line(s) 586
java-find-secbugs high In method org.postgresql.xa.PGXAConnection.prepare(Xid) org.postgresql.xa.PGXAConnection.prepare(Xid) passes a nonconstant String to an execute or addBatch method on an SQL statement Check line(s) 352
java-find-secbugs high In method org.postgresql.xa.PGXAConnection.rollback(Xid) org.postgresql.xa.PGXAConnection.rollback(Xid) passes a nonconstant String to an execute or addBatch method on an SQL statement Check line(s) 457
Driver Version? 42.2.10.jre7
Java Version? 12
To Reproduce
Run
docker run --rm -v $PWD:/target hawkeyesec/scanner-cli:latest
In a project using this driver
Expected behaviour No security errors
Hi! Thank you for the report.
My initial assumption is that find-sec-bugs finds this code suspicious and points out potential SQL injection. I would expect that it is built with "better safe then sorry" approach in mind so might fire some false positives if it sees some indicators but cannot really prove the absence of an issue. I would suggest to look in those places and try to identity if those issues really exist and/or are relevant or not for your use-case.
I cannot verify it right now though.
