fix(rules): CODE-9032 (#3683)

* fix for CODE-9032

* add test

Author: kurt-r2c

java/lang/security/audit/formatted-sql-string.java

@@ -152,4 +152,23 @@ public void get(HttpServletRequest req) {
         // ruleid: formatted-sql-string
         ResultSet rs = statement.executeQuery();
     }
+}
+
+public class SqlExampleNonStringBuilderConstructor{
+
+    public Retry<ResultSet> getRetry(final String mainQuery, final Connection connection) {
+        // not a StringBuilder
+        return new Retry<>(
+            // also not a StringBuilder
+            new Callable<ResultSet>() {
+                public ResultSet call() throws SQLException {
+                    PreparedStatement statement = connection.prepareStatement(
+                        mainQuery, ResultSet.TYPE_FORWARD_ONLY, ResultSet.CONCUR_READ_ONLY);
+                    statement.setFetchSize(Integer.MIN_VALUE);
+                    // ok: formatted-sql-string
+                    return statement.executeQuery ();
+                }
+            },
+            Retry.RETRY_FOREVER);
+    }
 }

java/lang/security/audit/formatted-sql-string.yaml

@@ -52,12 +52,17 @@ rules:
     - pattern-either:
       - pattern: $X + $INPUT
       - pattern: $X += $INPUT
-      - pattern: $STRB.append($INPUT)
       - pattern: String.format(..., $INPUT, ...)
       - pattern: String.join(..., $INPUT, ...)
       - pattern: (String $STR).concat($INPUT)
       - pattern: $INPUT.concat(...)
-      - pattern: new $STRB(..., $INPUT, ...)
+      - patterns:
+        - pattern-either:
+          - pattern: $STRB.append($INPUT)
+          - pattern: new $STRB(..., $INPUT, ...)
+        - metavariable-type:
+            metavariable: $STRB
+            type: StringBuilder
     label: CONCAT
     requires: INPUT
   pattern-propagators: