I am using FindBug along with the plugin Find Security Bugs to help me find security flaws in my code. I am not sure why some code is flagged as vulnerable to SQL injection.
Here are two examples:
final StringBuilder queryString = new StringBuilder("SELECT users.login FROM Users users, Table table WHERE users.idUser = table.users.idUser");
Query query = session.createQuery(queryString.toString()); // This line is flagged
StringBuilder queryString = new StringBuilder("SELECT data FROM Table ");
queryString.append("WHERE table.idEntreprise = :id");
Query query = session.createQuery(queryString.toString()).setInteger("id", id); // This line is flagged
Is it a false positive or I missed something? If I understand the matter correctly, using createQuery() and setX() should be enough?
This is a false positive. Named query parameters are escaped by Hibernate, so no SQL injection can be performed.
Even the first query without named parameters is safe since it does not use external input for the users.idUser parameter.