SQL injection in OrderRepository.findByCustomer
Critical
CWE-89
order-service
playbook spring-sql-injection@2.3
Pre-approval checks4 of 4 passing
Build #4827 passing · 47 of 47 tests + 3 new regression tests
2h ago
Sandbox dry-run clean · java-17-v3 · 7m 41s
11m ago
Commit GPG-signed · 9a7f3d2 · key matches DEV agent
2h ago
Scope within policy · 1 file, +18 / −4 lines · under blast-radius cap
policy v3.2
Code changerequired for critical · policy
order-service/src/main/java/com/co/order/OrderRepository.java
+18
−4
42 public List<Order> findByCustomer(String id) {
43 String q = "SELECT * FROM orders WHERE customer='" + id + "'";
44 return jdbc.query(q, mapper);
43 String q = "SELECT * FROM orders WHERE customer = ?";
44 return jdbc.query(q, mapper, id);
45 }
Approvers3 of 4 signed
Developer Agentopened MR
signed
2h ago
Reviewer Agentcode review
approved
11m ago
JR
J. Revieweron-call sec eng
approved
at 10:31
AB
Alice Brownsecurity lead · you
Your turn
now
Reasonoptional · logged to audit trail