Incorrect flagging SQL injection in DeveloperForce, a web client library

[JettJones]

Vulnerability URL Provide the URL to the vulnerability. For example:

https://ossindex.sonatype.org/vulnerability/sonatype-2016-0594

Component URL Provide the URL to the component. For example:

https://ossindex.sonatype.org/component/pkg:nuget/DeveloperForce.Force@2.1.0

Description The flagged pull request in the vulnerability report does show a sql-like string being formatted. But that string is consumed as an API query parameter in calling salesforce. So the outcome would more likely be a mangled query.

Looks like a false positive.

[ken-duck]

Sorry for the delay. We have been working on getting appropriate internal processes defined for dealing with data issues in the new data set. We are now working on catching up on the backlog.

This issue has been passed to the research team on our internal tracking system, and I will report back here once more is known.