Issue in labeling the correct place of the alert in sql injection queries

[jamalmfarhat]

Hello,

I would like to report an issue in sql injection queries, where LGTM seems to fail to report the correct location of the error in the codeline.
The following project jamalmfarhat/lgtm-sql-injection-issue was created to replicate the problem.
In the example shown there, our security expert thinks that LGTM should label "Step 4" as the correct location of the alert.
Can you please check?

[aibaars]

I agree that MyQueryRunner.java line 16 would be a good location for reporting this error.

The first step (the source) proves that the data originates from user input, and the final step (the sink) proves the string is an SQL statement that is executed, but the actual injection happens in the place where the strings are concatenated.