Review spring-jdbc vulnerabilities report [SPR-16436]

[spring-projects-issues]

Pavel Shelentsov opened SPR-16436 and commented

We use maven dependency on spring-jdbc module and have recently scanned this using static veracode analyzer. There are some vulnerabilities there including flaws with high severity (possible SQL Injections), these can be false positive, but need to be checked.

Detailed vulnerabilities report [^spring-jdbc_5.0.3.RELEASE.pdf] is attached to the issue.

---

Affects: 5.0.3

Attachments:

• spring-jdbc_5.0.3.RELEASE.pdf (195.35 kB)

[spring-projects-issues]

Juergen Hoeller commented

The SQL injection points are all false positives, as far as I can tell. The analysis tool doesn't seem to realize that these statements are being populated through PreparedStatement parameters through callbacks before being executed. The ScriptUtils point is fundamentally valid; however, that utility is only meant for database initialization scripts provided by the application setup and not for user input.

With respect to log output neutralization, we just log the application-provided SQL statement (with parameter placeholders but not containing user input) as well as metadata provided by the JDBC driver. None of this needs to be neutralized from my perspective. Once again, ScriptUtils is a special case since the log statements there are expected to come from an application-embedded script file which is not expected to contain malicious code.

The resource leak is also a false positive since that Statement will get reliably closed through JdbcUtils.closeStatement in the finally block. The analysis tool seems to get confused by the delegated close calls there.