SO
SecOps WorkbenchSprint 7 · Day 8/10
Agent working
?page=remediation&issue=issue-sec-1745&tab=overview
SEC-1745·FOR-5183·order-service

SQL injection in OrderRepository.findByCustomer

Critical CWE-89 spring-sql-injection@2.3
Previous Next
Current stage
Awaiting human approval
5 of 7 · 71%
Triaged Planned Coded Tested Approval Merge Verified
Overview Evidence 12 Human Gates 1 Regression Verdict
Your next action
Review the fix, then approve & merge
All checks passing · reviewer agent + J. Reviewer have approved · final critical sign-off needed

What this is

summary by Triage Agent
Critical Easy · 2h Agent can fix

The findByCustomer method in OrderRepository.java:87 builds its SQL by concatenating the user-supplied customerId directly into the query string. An attacker who controls that parameter can inject arbitrary SQL — including UNION SELECT attacks to read other customers' orders, or destructive statements like DROP TABLE. Show technical detail →

AI
Triage Agent matched CWE-89 · selected spring-sql-injection@2.3 playbook · confidence 98% · 4m 12s ago

Closure blockers

3 of 4 cleared
Code change applied via spring-sql-injection@2.3 · 18 lines changed in OrderRepository.java
2h ago
Tests pass 47 unit + 3 new regression tests · build green in CI
1h ago
Fortify rescan clean FOR-5183 marked Closed · no new findings introduced
42m ago
Awaiting human approval critical severity requires sign-off from @alice before merge · SLA: 6 days left
8m

Acceptance criteria

from playbook
Query uses parameter binding (PreparedStatement / @Param), no string concatenation verified in OrderRepository.java:87
Regression test with malicious input passes SqlInjectionRegressionTest · 3 cases · ' OR '1'='1, ; DROP TABLE, UNION SELECT
Fortify rescan shows finding closed FOR-5183 Closed · scanned at 10:14
Reviewer Agent approval approved with no comments · 11m ago
Human security lead approval (required for critical severity) pending · @alice notified in AgentBook
MR merged to main and deployed will auto-deploy after merge via standard pipeline