JPA/Hibernate query built with string concatenation
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
EntityManager/Session createQuery or createNativeQuery is given a JPQL/SQL string built with + instead of a named or positional bind parameter, which is HQL/JPQL injection when the concatenated value is user-controlled.
Why it matters
Building a JPQL or native SQL string with + concatenation inside createQuery/createNativeQuery means anything concatenated in becomes part of the query text. If that value is ever user-controlled, an attacker-supplied value can change the query's logic entirely (classic injection), not just its data.
How to fix it
Use a named or positional bind parameter instead: write the query with :name or ?1 in the string, then call setParameter to supply the value. JPA sends the value separately from the query text, so it can never be interpreted as query syntax.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo