False negative in Java rule command-injection-formatted-runtime-call

[tacu22]

Describe the bug

The pattern in Java command injection rule has a common false negative：

import java.lang.Runtime;

class Cls {
    public Cls(String input) {
        Runtime r = Runtime.getRuntime();
        // ruleid: command-injection-formatted-runtime-call
        r.exec("/bin/sh -c some_tool" + input);   // it is ok
    }
}

class Cls {
    public Cls(String input) {
        Runtime r = Runtime.getRuntime();
        // ruleid: command-injection-formatted-runtime-call
        r.exec(new String[] {"/bin/sh", "-c", "some_tool", input});  // false negative
    }
}

To Reproduce

https://semgrep.dev/playground/s/jxAWY

Expected behavior
A clear and concise description of what you expected to happen.

Priority
How important is this to you?

• P0: blocking me from making progress
• P1: this will block me in the near future
• P2: annoying but not blocking me

Additional Context
Add any other context about the problem here.

[DaniBenn]

Hi! I'd like to work on fixing this false negative.

Do you have an example snippet that currently bypasses the rule
so I can reproduce the issue locally?

Happy to submit a PR once I confirm the pattern gap.

[tacu22]

Thanks for your reply, and I have filed the bypass case together with the rule in semgrep playground: https://semgrep.dev/playground/s/jxAWY.