gitlab.bandit.B611

385
Download Count*
MIT
License

You should be very careful whenever you write raw SQL. Consider using Django ORM before raw SQL. See https://docs.djangoproject.com/en/3.0/topics/db/sql/#passing-parameters-into-raw

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: bandit.B611
    patterns:
      - pattern-either:
          - pattern: $MODEL.objects.raw($QUERY, ...)
          - pattern: django.db.models.expressions.RawSQL(...)
    message: You should be very careful whenever you write raw SQL. Consider using
      Django ORM before raw SQL. See
      https://docs.djangoproject.com/en/3.0/topics/db/sql/#passing-parameters-into-raw
    metadata:
      cwe: "CWE-89: Improper Neutralization of Special Elements used in an SQL Command
        ('SQL Injection')"
      owasp: "A1: Injection"
      primary_identifier: bandit.B611
      secondary_identifiers:
        - name: Bandit Test ID B611
          type: bandit_test_id
          value: B611
      license: MIT
    severity: ERROR
    languages:
      - python