Skip to content
This repository has been archived by the owner on Jan 19, 2023. It is now read-only.

Incorrect flagging SQL injection in DeveloperForce, a web client library #298

Open
JettJones opened this issue Jun 16, 2022 · 1 comment
Open

Incorrect flagging SQL injection in DeveloperForce, a web client library #298

JettJones opened this issue Jun 16, 2022 · 1 comment
Labels
bug Something isn't working

Comments

@JettJones
Copy link

Vulnerability URL
Provide the URL to the vulnerability. For example:

https://ossindex.sonatype.org/vulnerability/sonatype-2016-0594

Component URL
Provide the URL to the component. For example:

https://ossindex.sonatype.org/component/pkg:nuget/DeveloperForce.Force@2.1.0

Description
The flagged pull request in the vulnerability report does show a sql-like string being formatted. But that string is consumed as an API query parameter in calling salesforce. So the outcome would more likely be a mangled query.

Looks like a false positive.
@JettJones JettJones added the bug Something isn't working label Jun 16, 2022
@ken-duck
Copy link
Contributor

Sorry for the delay. We have been working on getting appropriate internal processes defined for dealing with data issues in the new data set. We are now working on catching up on the backlog.

This issue has been passed to the research team on our internal tracking system, and I will report back here once more is known.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@JettJones @ken-duck