package webtest; import java.sql.Connection; import java.sql.DriverManager; import java.sql.PreparedStatement; import java.sql.ResultSet; import java.sql.SQLException; import javax.jws.WebMethod; import javax.jws.WebService; import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.PathVariable; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RestController; @WebService @RestController @RequestMapping("api") public class SQLIService { public SQLIService() { // required for @WebService } @GetMapping("/{badvalue}") public void rest(@PathVariable String badvalue) { sqli(badvalue); // detected by javasecurity:S3649 } @WebMethod public void webservice(String badvalue) { sqli(badvalue); // not detected by javasecurity:S3649 } private void sqli(String badvalue) { try(Connection conn = DriverManager.getConnection("url")) { try(PreparedStatement stmt = conn.prepareStatement(badvalue)) { try(ResultSet rs = stmt.executeQuery()) { if(rs.next()) { // do something } } } } catch(SQLException exc) { exc.printStackTrace(); } } }