I have been reported from my QA team that our application can be attacked using SQL Injection. However, any of our queries are created dynamically, we user an API for doing queries similar to Hibernate and we always prepare the statements before executing the queries and we don't use stored procedures. The QA team is using ZAP to scan the application. So, what I need to do for avoiding ZAP SQL Injection alerts?
All automated scanners can report false positives. Someone needs to evaluate if the issues reported are false positives or real issues.
If they are false positives then you can either:
Please also raise a ZAP issue so that we can see if we can fix the code so that false positives are not reported.
Simon (ZAP Project Lead)