EXTERNAL DATA IN SQL QUERIES [SAST] [M7] [CWE-89]

[venjee]

hi j256

our app used your lib and we asked a third-party security company to do security checking on our app, and they reported a issue about ormlite lib,the detail is info listed below:

EXTERNAL DATA IN SQL QUERIES [SAST] [M7] [CWE-89] Description: Inclusion of input into raw SQL queries can potentially lead to a local SQL injection vulnerability in the mobile application, resuting in the compromise of any sensitive information stored within databse ¦les. The correct approach is to use prepared SQL statements beyond user's control

There is 'execSQL()' found in ¦le 'com/j256/ormlite/android/AndroidCompiledStatement.java': [line 179: */] [line 180: throw new UnsupportedOperationException("Method not decompiled: com.j256.ormlite.android.AndroidCompiledStatement.execSql(android.database.sqlite.S QLiteDatabase, java.lang.String, java.lang.String, java.lang.Object[]):int");] [line 181: }]

[line 263: if (this.type.isOkForExecute()) {] [line 264: return execSql(this.db, "runExecute", this.sql, getArgArray());] [line 265: }]

[line 285: }] [line 286: return execSql(this.db, "runUpdate", str, getArgArray());] [line 287: }]

There is 'rawQuery()' found in ¦le 'com/j256/ormlite/android/AndroidCompiledStatement.java': [line 249: }] [line 250: Cursor rawQuery = apiCompatibility.rawQuery(this.db, str, getStringArray(), this.cancellationHook);] [line 251: this.cursor = rawQuery;]

the ormlite version my app used is 5.1, I found the latest version was updated 2 years ago ,it seems you will not maintain this lib?