SQL injection not detection by SAST

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Work on this issue
• Close this issue

Summary

We have a customer that reported an SQL injection vulnerability that was not detected by SAST.

Here is the example code:

static async getByIds(ids) {

  var query = `SELECT * FROM grade WHERE id IN (${ids}) ORDER BY grade_name ASC`

  let results = await pool.query(query)

  return {
    rowCount: results.rowCount,
    rows: results.rows,
  };
}

I ran this with the following CI/CD file:

include:
  - template: Jobs/SAST.gitlab-ci.yml

There was no report of a possible SQL injection.

Steps to reproduce

Example Project

• https://gitlab.com/jdasmarinas/test-sql-injection-detection-sast
  • This is currently private but I can share it

What is the current bug behavior?

Code is not detected as possible SQL injection vulnerability.

What is the expected correct behavior?

Code should be detected as a possible SQL injection vulnerability.

Relevant logs and/or screenshots

$ /analyzer run
[INFO] [Semgrep] [2025-02-21T06:22:18Z] ▶ GitLab Semgrep analyzer v5.27.0
[INFO] [Semgrep] [2025-02-21T06:22:18Z] ▶ Detecting project
[INFO] [Semgrep] [2025-02-21T06:22:18Z] ▶ Analyzer will attempt to analyze all projects in the repository
[INFO] [Semgrep] [2025-02-21T06:22:18Z] ▶ Loading ruleset for /builds/jdasmarinas/test-sql-injection-detection-sast
[WARN] [Semgrep] [2025-02-21T06:22:18Z] ▶ /builds/jdasmarinas/test-sql-injection-detection-sast/.gitlab/sast-ruleset.toml not found, ruleset customization will be disabled.
[INFO] [Semgrep] [2025-02-21T06:22:18Z] ▶ Running analyzer
[INFO] [Semgrep] [2025-02-21T06:22:18Z] ▶ 19 active rule files detected with 587 active rules
[INFO] [Semgrep] [2025-02-21T06:22:18Z] ▶  * rule file '/rules/bandit.yml': '1d5f1383c92f36acb1d037009fe18a1f2b23e018a4b4cf6d62f779876bf4954d'
[INFO] [Semgrep] [2025-02-21T06:22:18Z] ▶  * rule file '/rules/eslint.yml': '9a0000468fb7788df7a1f0dcedab6b52f63f48bb20e23be1703d09df4f26a43d'
[INFO] [Semgrep] [2025-02-21T06:22:18Z] ▶  * rule file '/rules/find_sec_bugs.yml': '4ffaf454577a0f2570a5923eb626c5ad5cc2acb61ba69f195133446bb13ce016'
[INFO] [Semgrep] [2025-02-21T06:22:18Z] ▶  * rule file '/rules/find_sec_bugs_scala.yml': '511d1fcd1844c8c598ce2eecacf95ab876bfadb01c7740d474d007250f033a97'
[INFO] [Semgrep] [2025-02-21T06:22:18Z] ▶  * rule file '/rules/flawfinder.yml': 'c03d70d0acaf5d6f42173b0141fd1ac40fb2a61b2d9e6867d6785b56f366bf90'
[INFO] [Semgrep] [2025-02-21T06:22:18Z] ▶  * rule file '/rules/gitlab/gitlab_ee_java.yml': '4447e55e10167e94a8e720d2b4c0b468de341261c3416fd32ceb63ba15bff134'
[INFO] [Semgrep] [2025-02-21T06:22:18Z] ▶  * rule file '/rules/gitlab/gitlab_ee_javascript.yml': '428c386226edb09210df0df08ca4c2464949e948a88045694b3cfaab8079b8dc'
[INFO] [Semgrep] [2025-02-21T06:22:18Z] ▶  * rule file '/rules/gitlab_ce_python.yml': 'a1adf6cde5fa7e8ef530bd3ec122f6ac827e989f2c862aeae28a58a69c78ab6b'
[INFO] [Semgrep] [2025-02-21T06:22:18Z] ▶  * rule file '/rules/gitlab_ce_scala.yml': 'ee3d5ba84846f6c94085a1a76d3d250e68ce9c7f7502003647f7125a8667e1a3'
[INFO] [Semgrep] [2025-02-21T06:22:18Z] ▶  * rule file '/rules/gosec.yml': '2f8a4f954c8358ed4b5529be4f557190090209df1ac67bf55d24af2d755ffca0'
[INFO] [Semgrep] [2025-02-21T06:22:18Z] ▶  * rule file '/rules/lgpl-cc/brakeman.yml': '27bfe7c3e464b2786c360004c50a8e487c46f9ea7ffe011b5190696224665301'
[INFO] [Semgrep] [2025-02-21T06:22:18Z] ▶  * rule file '/rules/lgpl-cc/gitlab_lgpl_cc_java.yml': '17d681aba56265d68cbeb7e90681f2d69d8c0440714acb4940b57e9b5cb67bbb'
[INFO] [Semgrep] [2025-02-21T06:22:18Z] ▶  * rule file '/rules/lgpl-cc/gitlab_lgpl_cc_javascript.yml': 'abf15ac30a8c820f2d192a812d48f3a76e805c1cd3bee91d3b19d7c09d482519'
[INFO] [Semgrep] [2025-02-21T06:22:18Z] ▶  * rule file '/rules/lgpl-cc/gitlab_lgpl_cc_python.yml': '4fcb59e05b1bdb418ab3ce009b0af0c565fe16d255013f9f65e1981734fafbe8'
[INFO] [Semgrep] [2025-02-21T06:22:18Z] ▶  * rule file '/rules/lgpl-cc/phpcs_security_audit.yml': '7f3448e2fdbca069c55c5f34971fc48382ec1af86a973ee24614ce320494d630'
[INFO] [Semgrep] [2025-02-21T06:22:18Z] ▶  * rule file '/rules/lgpl/find_sec_bugs_kotlin.yml': '46cdf5ab58a11576cb48f87c42e587f21136e01b33b352d7444e8c74e5ae446f'
[INFO] [Semgrep] [2025-02-21T06:22:18Z] ▶  * rule file '/rules/lgpl/mobsf.yml': '18c9f0273caf79503e75cfdff7efa38fdec4a9e5f3084ebb915fe492a3446f66'
[INFO] [Semgrep] [2025-02-21T06:22:18Z] ▶  * rule file '/rules/lgpl/nodejs_scan.yml': 'f278351679f6874078ce4fd6a04b103936e944fd82936a919632d3cba2110ca8'
[INFO] [Semgrep] [2025-02-21T06:22:18Z] ▶  * rule file '/rules/security_code_scan.yml': 'a145b41abb93f352f70e9e7b7c335d09d0e1a95298f7fed85e35ef2fd3d7e4e8'
[INFO] [Semgrep] [2025-02-21T06:22:18Z] ▶ Combined rule checksum: '50cd48f2f6b045e313e5070f3e04df87c8aa93267e2f8a24321f7ba202745e1d'
[INFO] [Semgrep] [2025-02-21T06:22:18Z] ▶ Using the GitLab SAST default ruleset
[INFO] [Semgrep] [2025-02-21T06:22:19Z] ▶ METRICS: Using configs from the Registry (like --config=p/ci) reports pseudonymous rule metrics to semgrep.dev.
[INFO] [Semgrep] [2025-02-21T06:22:19Z] ▶ To disable Registry rule metrics, use "--metrics=off".
[INFO] [Semgrep] [2025-02-21T06:22:19Z] ▶ Using configs only from local files (like --config=xyz.yml) does not enable metrics.
[INFO] [Semgrep] [2025-02-21T06:22:19Z] ▶ 
[INFO] [Semgrep] [2025-02-21T06:22:19Z] ▶ More information: https://semgrep.dev/docs/metrics
[INFO] [Semgrep] [2025-02-21T06:22:19Z] ▶ 
[INFO] [Semgrep] [2025-02-21T06:22:26Z] ▶                
[INFO] [Semgrep] [2025-02-21T06:22:26Z] ▶                
[INFO] [Semgrep] [2025-02-21T06:22:26Z] ▶ ┌─────────────┐
[INFO] [Semgrep] [2025-02-21T06:22:26Z] ▶ │ Scan Status │
[INFO] [Semgrep] [2025-02-21T06:22:26Z] ▶ └─────────────┘
[INFO] [Semgrep] [2025-02-21T06:22:26Z] ▶   Scanning 18 files with 587 Code rules:
[INFO] [Semgrep] [2025-02-21T06:22:26Z] ▶   Scanning 1 file with 96 js rules.
[INFO] [Semgrep] [2025-02-21T06:22:28Z] ▶                 
[INFO] [Semgrep] [2025-02-21T06:22:28Z] ▶                 
[INFO] [Semgrep] [2025-02-21T06:22:28Z] ▶ ┌──────────────┐
[INFO] [Semgrep] [2025-02-21T06:22:28Z] ▶ │ Scan Summary │
[INFO] [Semgrep] [2025-02-21T06:22:28Z] ▶ └──────────────┘
[INFO] [Semgrep] [2025-02-21T06:22:28Z] ▶ Some files were skipped or only partially analyzed.
[INFO] [Semgrep] [2025-02-21T06:22:28Z] ▶   Partially scanned: 1 files only partially analyzed due to parsing or internal Semgrep errors
[INFO] [Semgrep] [2025-02-21T06:22:28Z] ▶ 
[INFO] [Semgrep] [2025-02-21T06:22:28Z] ▶ Ran 96 rules on 1 file: 0 findings.
[INFO] [Semgrep] [2025-02-21T06:22:29Z] ▶ Creating report

Output of checks

This bug happens on GitLab.com

Results of GitLab environment info

Expand for output related to GitLab environment info

(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check

(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)
(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)
(we will only investigate if the tests are passing)

Possible fixes