javax.persistence.EntityManager.createNativeQuery SQL Injections missed

Code security review tool for C/C++, C#, VB, PHP, Java, PL/SQL, COBOL.

Brought to you by: npdunn

javax.persistence.EntityManager.createNativeQuery SQL Injections missed

Forum: General Discussion

Creator: Patrick Tucker

Created: 2014-09-02

Updated: 2014-09-08

Patrick Tucker - 2014-09-02

We used VCG 1.6.1.0 to scan some code that we inherited to look for security vulnerabilities and were mostly satisfied with the results. After doing manual scans of the code, we realized that it was not catching any of the SQL Injections on queries that were done through java's EntityManager.

Is there any reason it can not do this?

Thanks,
Pat

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

N1ckDunn - 2014-09-03

Hi Pat

I'll take a look at implementing a check for this in the next release.

Nick

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Patrick Tucker - 2014-09-08

That would be great!

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Log in to post a comment.