rules:
  - id: java-sql-injection
    patterns:
      - pattern: |
          Statement stmt = $DB.createStatement();
          $RESULT = stmt.executeQuery($QUERY);
      - metavariable-pattern:
          metavariable: $QUERY
          pattern: $QUERY
    message: |
      [SQL Injection Risk] Directly using dynamic SQL queries can be dangerous.
      Use PreparedStatement with parameters instead.
    languages: [java]
    severity: ERROR
    metadata:
      category: security
      cwe: "CWE-89: SQL Injection"