rspec/rules/S2077/comments-and-links.adoc

=== is duplicated by: S3371

=== relates to: S3649

=== replaces: S1877

=== on 12 Oct 2014, 16:47:56 Freddy Mallet wrote:
@Ann, I would associate this rule to Findbugs rules : SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE,SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING

=== on 12 Nov 2014, 15:41:27 Sébastien Gioria wrote:
May I suggest to setup default severity as "Blocker" ? We should not find anymore Dynamic query in the source code without sanitizing. 


=== on 21 Nov 2014, 15:22:02 Freddy Mallet wrote:
Fine for me [~ann.campbell.2] and [~sebastien.gioria] to increase the severity to "Blocker"

=== on 21 Nov 2014, 17:33:03 Ann Campbell wrote:
\[~freddy.mallet] I considered this, but our guidelines specifically say SQL Injection rules should be Critical. Guess I should have annotated the ticket accordingly. :-/


cc [~sebastien.gioria]

=== on 24 May 2016, 13:13:14 Ann Campbell wrote:
ABAP reference: \https://www.kiuwan.com/blog/security-business-oriented-languages-abap/

=== on 26 May 2016, 11:44:21 Nicolas Bontoux wrote:
PL/SQL reference https://oracle-base.com/articles/misc/literals-substitution-variables-and-bind-variables[here] . Note that for PL/SQL this best practice is not just about security, there's also a performance impact (soft/hard parsing logic).

=== on 16 Jun 2016, 15:54:30 Freddy Mallet wrote:
\[~ann.campbell.2] there is a huge difference between the two rules :

* In PL/SQL, when using Literals or Substitution Variables there is absolutely no risk to change the structure of the SQL request to do something which is not expected -> so we absolutely don't care about the content of literal or substitution variables and a so about the fact that those values should be sanitized. The only overlap between the two rules is the remediation action but the purpose is absolutely not the same

=== on 17 Jun 2016, 13:48:52 Ann Campbell wrote:
To close the thread, we'll leave PL/SQL here

=== on 19 Sep 2018, 15:12:19 Nicolas Harraudeau wrote:
This rule becomes a Hotspot. The corresponding vulnerability is  RSPEC-3649.
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`=== is duplicated by: S3371`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`=== relates to: S3649`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`=== replaces: S1877`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`=== on 12 Oct 2014, 16:47:56 Freddy Mallet wrote:`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`@Ann, I would associate this rule to Findbugs rules : SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE,SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING`

Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`=== on 12 Nov 2014, 15:41:27 Sébastien Gioria wrote:`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`May I suggest to setup default severity as "Blocker" ? We should not find anymore Dynamic query in the source code without sanitizing.`




Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`=== on 21 Nov 2014, 15:22:02 Freddy Mallet wrote:`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`Fine for me [~ann.campbell.2] and [~sebastien.gioria] to increase the severity to "Blocker"`

Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`=== on 21 Nov 2014, 17:33:03 Ann Campbell wrote:`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`\[~freddy.mallet] I considered this, but our guidelines specifically say SQL Injection rules should be Critical. Guess I should have annotated the ticket accordingly. :-/`


			`cc [~sebastien.gioria]`

Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`=== on 24 May 2016, 13:13:14 Ann Campbell wrote:`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`ABAP reference: \https://www.kiuwan.com/blog/security-business-oriented-languages-abap/`

Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`=== on 26 May 2016, 11:44:21 Nicolas Bontoux wrote:`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`PL/SQL reference https://oracle-base.com/articles/misc/literals-substitution-variables-and-bind-variables[here] . Note that for PL/SQL this best practice is not just about security, there's also a performance impact (soft/hard parsing logic).`

Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`=== on 16 Jun 2016, 15:54:30 Freddy Mallet wrote:`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`\[~ann.campbell.2] there is a huge difference between the two rules :`

			`* In PL/SQL, when using Literals or Substitution Variables there is absolutely no risk to change the structure of the SQL request to do something which is not expected -> so we absolutely don't care about the content of literal or substitution variables and a so about the fact that those values should be sanitized. The only overlap between the two rules is the remediation action but the purpose is absolutely not the same`

Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`=== on 17 Jun 2016, 13:48:52 Ann Campbell wrote:`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`To close the thread, we'll leave PL/SQL here`

Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`=== on 19 Sep 2018, 15:12:19 Nicolas Harraudeau wrote:`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`This rule becomes a Hotspot. The corresponding vulnerability is RSPEC-3649.`