Skip to content

michael-PR-failed-QG#84

Open
michail-melizanis-sonarsource wants to merge 1 commit into
mainfrom
michael-PR-failed-QG
Open

michael-PR-failed-QG#84
michail-melizanis-sonarsource wants to merge 1 commit into
mainfrom
michael-PR-failed-QG

Conversation

@michail-melizanis-sonarsource

@michail-melizanis-sonarsource michail-melizanis-sonarsource commented May 18, 2026

Copy link
Copy Markdown

Summary

Adds MichaelQgFailServlet with intentional security vulnerabilities to demonstrate a failing SonarQube Quality Gate on new code:

  • SQL injection (javasecurity:S3649): user-controlled user parameter concatenated into a SQL query
  • XSS (javasecurity:S5131): user-controlled msg parameter reflected unsanitized in HTML output

Endpoint: /michael-qg-fail?user=...&msg=...

Test plan

  • CI runs SonarQube analysis on the PR
  • Quality Gate reports new security issues on new code
  • Do not merge (demo PR)

@michail-melizanis-sonarsource
Add servlet with intentional SQLi and XSS for QG failure demo.
df455d6 
Introduces MichaelQgFailServlet to demonstrate SonarQube security findings on new code in a pull request.
@sonar-nautilus

sonar-nautilus Bot commented May 18, 2026

Copy link
Copy Markdown

Quality Gate failed Quality Gate failed

Failed conditions
4 New issues
1 Security Hotspot
0.0% Coverage on New Code (required ≥ 80%)

See analysis details on SonarQube

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE SonarQube for IDE

github-advanced-security[bot]
github-advanced-security AI found potential problems May 18, 2026
View reviewed changes
Comment thread src/main/java/demo/security/servlet/MichaelQgFailServlet.java
PrintWriter out = response.getWriter();
out.print("<html><body>");
out.print("<p>Lookup result: " + lookupUser(username) + "</p>");
out.print("<p>Your message: " + message + "</p>");
Comment thread src/main/java/demo/security/servlet/MichaelQgFailServlet.java
return "no user specified";
}
try (Connection connection = DriverManager.getConnection(
"jdbc:demo", "demo", "demo");
Comment thread src/main/java/demo/security/servlet/MichaelQgFailServlet.java
"jdbc:demo", "demo", "demo");
Statement statement = connection.createStatement()) {
String query = "SELECT userid FROM users WHERE username = '" + user + "'";
ResultSet resultSet = statement.executeQuery(query);
Comment thread src/main/java/demo/security/servlet/MichaelQgFailServlet.java
String message = request.getParameter("msg");

response.setContentType("text/html");
PrintWriter out = response.getWriter();
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer
@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments
Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@michail-melizanis-sonarsource @github-advanced-security