18 lines
515 B
YAML
18 lines
515 B
YAML
rules:
|
|
- id: java-sql-injection
|
|
patterns:
|
|
- pattern: |
|
|
Statement stmt = $DB.createStatement();
|
|
$RESULT = stmt.executeQuery($QUERY);
|
|
- metavariable-pattern:
|
|
metavariable: $QUERY
|
|
pattern: $QUERY
|
|
message: |
|
|
[SQL Injection Risk] Directly using dynamic SQL queries can be dangerous.
|
|
Use PreparedStatement with parameters instead.
|
|
languages: [java]
|
|
severity: ERROR
|
|
metadata:
|
|
category: security
|
|
cwe: "CWE-89: SQL Injection"
|