From 183d2ec4d14b5eb285a0c5b64d5b1670b3a3bb38 Mon Sep 17 00:00:00 2001
From: Maximillian Arruda <dearrudam@gmail.com>
Date: Mon, 18 Oct 2021 18:38:59 -0300
Subject: [PATCH 1/2] Added tests for HS-JAVA-134 rule

Signed-off-by: Maximillian Arruda <dearrudam@gmail.com>
---
 internal/services/engines/rules_test.go   | 23 +++++++++++
 internal/services/engines/samples_test.go | 47 +++++++++++++++++++++++
 2 files changed, 70 insertions(+)

diff --git a/internal/services/engines/rules_test.go b/internal/services/engines/rules_test.go
index aa924a362..aa5a8c5e9 100644
--- a/internal/services/engines/rules_test.go
+++ b/internal/services/engines/rules_test.go
@@ -443,6 +443,22 @@ func TestRulesVulnerableCode(t *testing.T) {
 				},
 			},
 		},
+
+		// Java
+		{
+			name: "Java-HS-JAVA-134",
+			rule: java.NewSQLInjection(),
+			src:  SampleVulnerableJavaSQLInjection,
+			findings: []engine.Finding{
+				{
+					CodeSample: "var pstmt = con.prepareStatement(\"select * from mytable where field01 = '\" + field01 + \"'\");",
+					SourceLocation: engine.Location{
+						Line:   14,
+						Column: 50,
+					},
+				},
+			},
+		},
 	}
 
 	for _, tt := range testcases {
@@ -605,6 +621,13 @@ func TestRulesSafeCode(t *testing.T) {
 			rule: leaks.NewWPConfig(),
 			src:  SampleSafeLeaksRegularWPConfig,
 		},
+
+		// Java
+		{
+			name: "Java-HS-JAVA-134",
+			rule: java.NewSQLInjection(),
+			src:  SampleSafeJavaSQLInjection,
+		},
 	}
 
 	for _, tt := range testcases {
diff --git a/internal/services/engines/samples_test.go b/internal/services/engines/samples_test.go
index adc9ec47f..981355c47 100644
--- a/internal/services/engines/samples_test.go
+++ b/internal/services/engines/samples_test.go
@@ -561,4 +561,51 @@ func main() {
 <?php
 define('AUTH_KEY', getenv("AUTH_KEY"));
 	`
+
+	SampleVulnerableJavaSQLInjection = `
+import java.sql.Connection;
+import java.sql.PreparedStatement;
+import java.sql.ResultSet;
+import java.sql.SQLException;
+
+import javax.sql.DataSource;
+
+public class VulnerableCodeSQLInjection134 {
+
+    public void printResults(DataSource ds, String field01) throws SQLException {
+        try (
+                var con = ds.getConnection();
+                var pstmt = con.prepareStatement("select * from mytable where field01 = '" + field01 + "'");
+                var rs = pstmt.executeQuery()) {
+            while (rs.next()) {
+                System.out.println(rs.getString(1));
+            }
+        }
+    }
+}
+`
+
+	SampleSafeJavaSQLInjection = `
+import java.sql.Connection;
+import java.sql.PreparedStatement;
+import java.sql.ResultSet;
+import java.sql.SQLException;
+
+import javax.sql.DataSource;
+
+public class VulnerableCodeSQLInjection134 {
+
+    public void printResults(DataSource ds, String field01) throws SQLException {
+        try {
+            var con = ds.getConnection();
+            var pstmt = con.prepareStatement("select * from mytable where field01 = ? ");
+            pstmt.setString(1,field01);
+            var rs = pstmt.executeQuery();
+            while (rs.next()) {
+                System.out.println(rs.getString(1));
+            }
+        }
+    }
+}
+`
 )

From cf525d3dfad31570bda8500a973ef3121489fb1c Mon Sep 17 00:00:00 2001
From: Maximillian Arruda <dearrudam@gmail.com>
Date: Tue, 19 Oct 2021 14:30:37 -0300
Subject: [PATCH 2/2] Removed the "Java" prefix from the testcase names

Signed-off-by: Maximillian Arruda <dearrudam@gmail.com>
---
 internal/services/engines/rules_test.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/internal/services/engines/rules_test.go b/internal/services/engines/rules_test.go
index aa5a8c5e9..df4f76d97 100644
--- a/internal/services/engines/rules_test.go
+++ b/internal/services/engines/rules_test.go
@@ -446,7 +446,7 @@ func TestRulesVulnerableCode(t *testing.T) {
 
 		// Java
 		{
-			name: "Java-HS-JAVA-134",
+			name: "HS-JAVA-134",
 			rule: java.NewSQLInjection(),
 			src:  SampleVulnerableJavaSQLInjection,
 			findings: []engine.Finding{
@@ -624,7 +624,7 @@ func TestRulesSafeCode(t *testing.T) {
 
 		// Java
 		{
-			name: "Java-HS-JAVA-134",
+			name: "HS-JAVA-134",
 			rule: java.NewSQLInjection(),
 			src:  SampleSafeJavaSQLInjection,
 		},