Java: Add comments about use of sink kind regex-use#17053
Java: Add comments about use of sink kind regex-use#17053owen-mc merged 2 commits intogithub:mainfrom
regex-use#17053Conversation
|
|
jcogs33
left a comment
jcogs33
left a comment
There was a problem hiding this comment.
@owen-mc The regex-use sink kind intentionally does not match the regex-use parsing code in order to avoid excess FPs in the java/regex-injection query. Some prior discussion here. Changing this kind to regex-use[0] will break java/regex-injection test cases.
There is an existing issue about adjusting the regex-use% kind to resolve this situation, which I'll send you a link to. @atorralba and I had previously discussed that the appropriate adjustment would not be simple and that is why we left it as an issue.
Perhaps it would be best to simply add a comment in the org.apache.commons.lang3.model.yml file for now to avoid future confusion?
owen-mc
force-pushed
the
java/fix/regex-use-sink-kind
branch
from
01f78cd to
3edeb82
Compare
github-actions
bot
removed
documentation
no-change-note-required
|
@jcogs33 Thanks for explaining that. I've updated this PR to add comments in the two places that I think would be most useful. |
owen-mc
changed the title
regex-use
|
Is it accurate to say that the rexex-use kind is "used for regular expression injection sinks that should not be used |
|
ah sorry, @owen-mc I misread the comments when I reviewed this. Joe is correct. I'll open a PR to fix. |
3 participants
The sink kind
regex-usedoesn't match the code which parses regex-use sink kinds for regex injection. It turns out this is intentional, but not clearly documented. This PR adds comments explaining that.