Skip to content

SAST java SQL: false positives

I have encountered a number of false positives in our security scanning since the implementation was changed to semgrep-sast. It has generated many thousands of false positives across our projects:

  • using JPA EntityManager a hardcoded string split across multiple lines for readability with + in between is marked as a medium potential injection
  • all instances of JPA CriteriaQuery|CriteriaDelete|CriteriaUpdate passed to EntityManager::createQuery are considered critical potential injections
  • a hardcoded string split across multiple lines for readability with + in between is also considered a medium potential injection when passed to java.sql.Connection::prepareStatement

None of these items are a potential SQL injection, so the semgrep rules should be changed to ignore these constructs.