I have an anonymous procedure that I am getting with a StatementLoader and passing it to a CallableStatement. However FindBugs identifies this as being vulnerable to SQL Injection (SQL_INJECTION_JDBC). If I create a static method that returns the procedure as a string it is fine.
Is there a way I can use the statement loader without the sql injection bug popping up?
Example:
StatementLoader stmt = StatementLoader.getLoader(MyClass.class, connection);
try (final CallableStatement callable = connection.prepareCall(stmt.load("mySqlCode"))) {...
Yes, if your programming merely loads an SQL statement from an external source and executes it, it is a bona-fide SQL injection opportunity. The SQL statement should be a constant within the program, using parameter-substitution to provide values when executing it. The bug-catcher is correct – you should rewrite this code at once.