Detecting security issues on official JDBC drivers?

[PedroD]

I'm submitting a security report

• bug report
• feature request

Describe the issue
find-secbugs is detecting issues in the official Postgres JDBC drivers, in functions related to prepared statements.

What does this mean and what can one do about it?

module                      level     offender                                                                                                                                            description                                                                                                                                                                                               mitigation                                                                                                                             
--------------------------  --------  --------------------------------------------------------------------------------------------------------------------------------------------------  --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------  ---------------------------------------------------------------------------------------------------------------------------------------
java-find-secbugs           medium    In method org.postgresql.jdbc.PgDatabaseMetaData.getColumnPrivileges(String, String, String, String)                                                org.postgresql.jdbc.PgDatabaseMetaData.getColumnPrivileges(String, String, String, String) passes a nonconstant String to an execute or addBatch method on an SQL statement                               Check line(s) 1670                                                                                                                     
java-find-secbugs           medium    In method org.postgresql.jdbc.PgDatabaseMetaData.getColumns(String, String, String, String)                                                         org.postgresql.jdbc.PgDatabaseMetaData.getColumns(String, String, String, String) passes a nonconstant String to an execute or addBatch method on an SQL statement                                        Check line(s) 1537                                                                                                                     
java-find-secbugs           medium    In method org.postgresql.jdbc.PgDatabaseMetaData.getFunctions(String, String, String)                                                               org.postgresql.jdbc.PgDatabaseMetaData.getFunctions(String, String, String) passes a nonconstant String to an execute or addBatch method on an SQL statement                                              Check line(s) 2645                                                                                                                     
java-find-secbugs           medium    In method org.postgresql.jdbc.PgDatabaseMetaData.getImportedExportedKeys(String, String, String, String, String, String)                            org.postgresql.jdbc.PgDatabaseMetaData.getImportedExportedKeys(String, String, String, String, String, String) passes a nonconstant String to an execute or addBatch method on an SQL statement           Check line(s) 2180                                                                                                                     
java-find-secbugs           medium    In method org.postgresql.jdbc.PgDatabaseMetaData.getIndexInfo(String, String, String, boolean, boolean)                                             org.postgresql.jdbc.PgDatabaseMetaData.getIndexInfo(String, String, String, boolean, boolean) passes a nonconstant String to an execute or addBatch method on an SQL statement                            Check line(s) 2401                                                                                                                     
java-find-secbugs           high      In method org.postgresql.xa.PGXAConnection.commitPrepared(Xid)                                                                                      org.postgresql.xa.PGXAConnection.commitPrepared(Xid) passes a nonconstant String to an execute or addBatch method on an SQL statement                                                                     Check line(s) 586                                                                                                                      
java-find-secbugs           high      In method org.postgresql.xa.PGXAConnection.prepare(Xid)                                                                                             org.postgresql.xa.PGXAConnection.prepare(Xid) passes a nonconstant String to an execute or addBatch method on an SQL statement                                                                            Check line(s) 352                                                                                                                      
java-find-secbugs           high      In method org.postgresql.xa.PGXAConnection.rollback(Xid)                                                                                            org.postgresql.xa.PGXAConnection.rollback(Xid) passes a nonconstant String to an execute or addBatch method on an SQL statement                                                                           Check line(s) 457                                                                                                                      

Driver Version?
42.2.10.jre7

Java Version?
12

To Reproduce
Run
docker run --rm -v $PWD:/target hawkeyesec/scanner-cli:latest
In a project using this driver

Expected behaviour
No security errors

[bekh6ex]

Hi!
Thank you for the report.

My initial assumption is that find-sec-bugs finds this code suspicious and points out potential SQL injection. I would expect that it is built with "better safe then sorry" approach in mind so might fire some false positives if it sees some indicators but cannot really prove the absence of an issue. I would suggest to look in those places and try to identity if those issues really exist and/or are relevant or not for your use-case.

I cannot verify it right now though.