Semgrep flags eight CommandText-with-string-interpolation call sites in MessageStore.cs as SQL-injection patterns. All are safe in this context: table names and clause fragments come from internal code constants, the actual values are bound via SqlParameter, and the plugin SQL surface is local-only with no external input vector. CodeQL would not flag these because it does dataflow analysis and sees the constants. Semgrep only matches patterns. Excluding the rule for this repo only via the new semgrep-exclude-rules input keeps the rule active for the other Hellion repos where it might catch real issues (e.g. the web apps).
This commit is contained in:
@@ -10,4 +10,12 @@ on:
|
||||
jobs:
|
||||
scan:
|
||||
uses: JonKazama-Hellion/security-workflows/.gitea/workflows/security-scan.yml@main
|
||||
with:
|
||||
# MessageStore.cs uses string-interpolation in CommandText for table
|
||||
# names and clause-joins that come from internal code constants, not
|
||||
# user input. Values are bound via SqlParameter, the SQL surface is
|
||||
# local-only inside a Dalamud plugin. Semgrep matches the pattern
|
||||
# without dataflow, so it flags those eight call sites; CodeQL
|
||||
# would not. Suppressed for this repo only.
|
||||
semgrep-exclude-rules: 'csharp.lang.security.sqli.csharp-sqli'
|
||||
|
||||
|
||||
Reference in New Issue
Block a user