rspec/rules/S2077/comments-and-links.adoc

=== Duplicate: RSPEC-3371

=== Related: RSPEC-3649

=== Rule replacement: RSPEC-1877

=== On 2014-10-12T16:47:56Z Freddy Mallet Wrote:
@Ann, I would associate this rule to Findbugs rules : SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE,SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING

=== On 2014-11-12T15:41:27Z Sébastien Gioria Wrote:
May I suggest to setup default severity as "Blocker" ? We should not find anymore Dynamic query in the source code without sanitizing. 


=== On 2014-11-21T15:22:02Z Freddy Mallet Wrote:
Fine for me [~ann.campbell.2] and [~sebastien.gioria] to increase the severity to "Blocker"

=== On 2014-11-21T17:33:03Z Ann Campbell Wrote:
\[~freddy.mallet] I considered this, but our guidelines specifically say SQL Injection rules should be Critical. Guess I should have annotated the ticket accordingly. :-/


cc [~sebastien.gioria]

=== On 2016-05-24T13:13:14Z Ann Campbell Wrote:
ABAP reference: \https://www.kiuwan.com/blog/security-business-oriented-languages-abap/

=== On 2016-05-26T11:44:21Z Nicolas Bontoux Wrote:
PL/SQL reference https://oracle-base.com/articles/misc/literals-substitution-variables-and-bind-variables[here] . Note that for PL/SQL this best practice is not just about security, there's also a performance impact (soft/hard parsing logic).

=== On 2016-06-16T15:54:30Z Freddy Mallet Wrote:
\[~ann.campbell.2] there is a huge difference between the two rules :

* In PL/SQL, when using Literals or Substitution Variables there is absolutely no risk to change the structure of the SQL request to do something which is not expected -> so we absolutely don't care about the content of literal or substitution variables and a so about the fact that those values should be sanitized. The only overlap between the two rules is the remediation action but the purpose is absolutely not the same

=== On 2016-06-17T13:48:52Z Ann Campbell Wrote:
To close the thread, we'll leave PL/SQL here

=== On 2018-09-19T15:12:19Z Nicolas Harraudeau Wrote:
This rule becomes a Hotspot. The corresponding vulnerability is  RSPEC-3649.
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`=== Duplicate: RSPEC-3371`

			`=== Related: RSPEC-3649`

			`=== Rule replacement: RSPEC-1877`

			`=== On 2014-10-12T16:47:56Z Freddy Mallet Wrote:`
			`@Ann, I would associate this rule to Findbugs rules : SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE,SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING`

			`=== On 2014-11-12T15:41:27Z Sébastien Gioria Wrote:`
			`May I suggest to setup default severity as "Blocker" ? We should not find anymore Dynamic query in the source code without sanitizing.`




			`=== On 2014-11-21T15:22:02Z Freddy Mallet Wrote:`
			`Fine for me [~ann.campbell.2] and [~sebastien.gioria] to increase the severity to "Blocker"`

			`=== On 2014-11-21T17:33:03Z Ann Campbell Wrote:`
			`\[~freddy.mallet] I considered this, but our guidelines specifically say SQL Injection rules should be Critical. Guess I should have annotated the ticket accordingly. :-/`


			`cc [~sebastien.gioria]`

			`=== On 2016-05-24T13:13:14Z Ann Campbell Wrote:`
			`ABAP reference: \https://www.kiuwan.com/blog/security-business-oriented-languages-abap/`

			`=== On 2016-05-26T11:44:21Z Nicolas Bontoux Wrote:`
			`PL/SQL reference https://oracle-base.com/articles/misc/literals-substitution-variables-and-bind-variables[here] . Note that for PL/SQL this best practice is not just about security, there's also a performance impact (soft/hard parsing logic).`

			`=== On 2016-06-16T15:54:30Z Freddy Mallet Wrote:`
			`\[~ann.campbell.2] there is a huge difference between the two rules :`

			`* In PL/SQL, when using Literals or Substitution Variables there is absolutely no risk to change the structure of the SQL request to do something which is not expected -> so we absolutely don't care about the content of literal or substitution variables and a so about the fact that those values should be sanitized. The only overlap between the two rules is the remediation action but the purpose is absolutely not the same`

			`=== On 2016-06-17T13:48:52Z Ann Campbell Wrote:`
			`To close the thread, we'll leave PL/SQL here`

			`=== On 2018-09-19T15:12:19Z Nicolas Harraudeau Wrote:`
			`This rule becomes a Hotspot. The corresponding vulnerability is RSPEC-3649.`