Why this Python code vulnerable to SQLi was not flagged?

Hi @rsprudencio,

Welcome to our community, and thanks for reporting the problem you are facing.

The expected issues are not raised because the bad and good folders don’t contain any __init__.py file, and they are not seen as packages (see 6. Modules — Python 3.10.4 documentation).

Because of this, when in bad/mod_user.py the module libuser is imported, there is an ambiguity about which libuser should be analyzed, if the one in bad or the one in good.

You should be able to raise the issues by adding the __init__.py file inside the two folders and by importing the libuser with from bad import libuser.

Another option is to keep the project as it is and scan the good and the bad folder separately as if they were two separate projects.