SO
SecOps WorkbenchSprint 7 · Day 8/10
Agent working
?page=remediation&issue=issue-sec-1745&tab=regression
SEC-1745·FOR-5183·order-service

SQL injection in OrderRepository.findByCustomer

Critical CWE-89 spring-sql-injection@2.3
Previous Next
Current stage
Awaiting human approval
5 of 7 · 71%
TriagedPlannedCodedTestedApprovalMergeVerified
Overview Evidence 12 Human Gates 1 Regression Verdict
Regression classification

Clean fix — no regressions detected

Single-file change exactly matches the playbook's expected output. All 47 tests pass (including 3 new regression cases), Fortify rescan confirms closure, no collateral changes, no new findings introduced anywhere in the repo.

Class A · safe to merge
Before
May 10 · 22:08
1 critical
SQL injection at OrderRepository.java:87 · taint flow from HTTP customerId param to queryForList sink
Open findings (file)1
Open findings (service)3
Tests in suite44
After
Today · 10:14
0 critical
Finding FOR-5183 marked Closed in Fortify rescan · query parameterized with placeholder · no new findings introduced
Open findings (file)0 ↓
Open findings (service)2 ↓
Tests in suite47 ↑

Check matrix

6 / 6 passed · 0 failed · 0 warnings
Build
Maven compile + package · mvn -B clean package
47s
duration
Unit tests
All 47 tests pass · existing suite untouched · 0 flaky reruns
47/47
passing
Regression tests (new)
3 new cases verifying malicious inputs are rejected · added by playbook
3/3
passing
SqlInjectionRegressionTest · 3 cases verify the parameterized query safely handles attack inputs without execution
rejects_classic_or_injection · input ' OR '1'='1 · 53ms
rejects_drop_table_attempt · input '; DROP TABLE orders-- · 41ms
rejects_union_select_exfiltration · input 1 UNION SELECT password FROM users · 62ms
Fortify rescan
Same rulepack as original scan · FOR-5183 marked Closed · no new findings
closed
finding
Scope check
1 of 1 expected file touched · no out-of-scope changes detected
+18 / −4
lines
Container & dependency scan
Trivy + Sonatype OSS · no new CVEs introduced · no license changes
0 new
CVEs

Side-effect probes

checks specific to "did the fix cause anything else to change?"
Public API unchanged
Method signature for findByCustomer is identical · no callers affected
DB schema untouched
No migration files added · no flyway or liquibase changes
Performance neutral
Sandbox benchmark: findByCustomer p95 within ±2ms of baseline
No auth/crypto touched
Files outside /repository/ not modified · auth-service unaffected
No config drift
application.yml, env vars, secrets all unchanged
No new dependencies
pom.xml unchanged · no transitive bumps detected

Files in scope

playbook predicted 1 file · agent touched 1 file · 100% match
Predicted by playbook
OrderRepository.java expected
Actually touched by agent
OrderRepository.java +18 / −4
SqlInjectionRegressionTest.java +62 (new)
test file is auto-added by playbook · counts as in-scope
All checks green. Class A · clean fix verified by Reviewer Agent + J. Reviewer.