Skip to content

False positive on "Query built by concatenation with a possibly-untrusted string" - "java/concatenated-sql-query" #16984

Open
@bpmarinho

Description

@bpmarinho

False positive on Query built by concatenation with a possibly-untrusted string - java/concatenated-sql-query

We have a constant value from enum

public enum CommentType {

    REVIEW_SIMPLE_COMMENT("comment.review.simple"),
    SIMPLE_COMMENT("comment.simple");

    private final String type;

    private CommentType(String type) {
        this.type = type;
    }

    public String getType() {
        return this.type;
    }
}

Used in query

sql.append(" AND REVIEW_COMMENT.COMMENT_TYPE = '").append(CommentType.REVIEW_SIMPLE_COMMENT.getType()).append("') ");

And CodeQL is stating Query built by concatenation with a possibly-untrusted string in CommentType.REVIEW_SIMPLE_COMMENT.getType(). From my understanding the enum is immutable. Could you take a look?

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions