For SAST checks in our CI pipeline we use Semgrep and SpotBugs scanners. This scanner finds the following situation as an instance of SQL Injection.
Repository Class
Query q = em.createNativeQuery(FIND_PRODUCTS_BY_IDENTIFER);
q.setParameter("productidentifier", productIdentifierParam);
The FIND_PRODUCTS_BY_IDENTIFER is in a separate class and is defined as a constant
public static final String FIND_PRODUCTS_BY_IDENTIFER= "SELECT PRODUCTID FROM PRODUCT WHERE ID in (:productidentifier)";
The Query is parameterized and is not a case of SQL Injection and is a false positive. Can anyone throw some light on what has to be changed to make this violation go away (or) is this already a known Bug with Semgrep analyzer.
