Security rule Y2: avoid SQL Strings to prevent SQL Injection

[hohwille]

From comment of story #7

when you follow devonfw Java recommendations you will never have to use JPA API providing queries as String. If a security rule verifies that you never do so, you are safe from SQL injection what is a nice guarantee to have.

So best practice is that you do static queries like this:

archunit/src/main/java/com/devonfw/sample/archunit/task/dataaccess/TaskItemRepository.java

Line 20 in 7996a4c

@Query("SELECT item FROM TaskItemEntity item WHERE item.completed = :completed AND item.starred = :starred")

And dynamic queries like this:
https://github.com/devonfw-sample/devon4quarkus-reference/blob/8ad949c38e5b7bc21c15ddd3e0460e97c851ac49/src/main/java/com/devonfw/quarkus/productmanagement/domain/repo/ProductFragmentImpl.java#L29-L53

When using one of these methods:

• https://docs.oracle.com/javaee/7/api/javax/persistence/EntityManager.html#createQuery-java.lang.String-
• https://docs.oracle.com/javaee/7/api/javax/persistence/EntityManager.html#createQuery-java.lang.String-java.lang.Class-
• https://docs.oracle.com/javaee/7/api/javax/persistence/EntityManager.html#createNativeQuery-java.lang.String-
• https://docs.oracle.com/javaee/7/api/javax/persistence/EntityManager.html#createNativeQuery-java.lang.String-java.lang.Class-
• https://docs.oracle.com/javaee/7/api/javax/persistence/EntityManager.html#createNativeQuery-java.lang.String-java.lang.String-

You can easily get vulnerable to SQL injection. By adding a rule that disallows the usage of these methods we can eliminate SQL injections (at least to 99%, you really have to do crazy stuff with the other patterns to get vulnerable) and it always great to know that you are safe from specific flaws as such rule will give you a guarantee.