Naveen Neelayyagari
Reputation: 115
SQL Injection with Semgrep/Spotbugs
For SAST checks in our CI pipeline we use Semgrep and SpotBugs scanners. This scanner finds the following situation as an instance of SQL Injection.
Repository Class
Query q = em.createNativeQuery(FIND_PRODUCTS_BY_IDENTIFER);
q.setParameter("productidentifier", productIdentifierParam);
The FIND_PRODUCTS_BY_IDENTIFER is in a separate class and is defined as a constant
public static final String FIND_PRODUCTS_BY_IDENTIFER= "SELECT PRODUCTID FROM PRODUCT WHERE ID in (:productidentifier)";
The Query is parameterized and is not a case of SQL Injection and is a false positive. Can anyone throw some light on what has to be changed to make this violation go away (or) is this already a known Bug with Semgrep analyzer.
Upvotes: 1
Views: 433
Answers (0)
Related Questions
- SQL Injection Prevention in Spring Boot
- Prevent JPQL query sql injection
- Checkmarx report sql injection JpaRepository
- Spring JPA @Query and @Param string escaping (sql injection)
- Avoid SQL Injection in Spring JPA
- How to prevent sql injection in JPA
- SQL injection using PMD
- Java SQL Injection
- SQL Injection using JPA Specification in REST Api
- JPA SQL Injection