You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
VG950 (BOLA find-by-id) is now AST-aware: it's suppressed only when the query is genuinely ownership-guarded — an ownership field in the WHERE clause (non-param value), or a same-function post-fetch ownership comparison against the session
Precise where regex can't be: ignores userId-in-select, sees a separate comparison statement, and won't count an ownership field whose value is itself a route param
Validated: VG950 22 to 15, all 7 removed are genuinely guarded, 0 true BOLA hidden, 0 false positives added. No rule or tool changes (442 / 37); gate green (PASS/A/0)
