From 46330bdc3efef0bb246cc73ab9308b16cc6a5a59 Mon Sep 17 00:00:00 2001
From: bkaiserinfosec <49665796+bkaiserinfosec@users.noreply.github.com>
Date: Mon, 30 Jun 2025 13:48:32 -0700
Subject: [PATCH] Potential fix for code scanning alert no. 155: SQL query
 built from user-controlled sources

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 src/vr/vulns/web/metrics.py | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/src/vr/vulns/web/metrics.py b/src/vr/vulns/web/metrics.py
index cc0fd01..b65e741 100644
--- a/src/vr/vulns/web/metrics.py
+++ b/src/vr/vulns/web/metrics.py
@@ -30,10 +30,7 @@ def component_metrics(id):
             return redirect(url_for('admin.login'))
         elif status == 403:
             return render_template('403.html', user=user, NAV=NAV)
-        key = 'ApplicationId'
-        val = id
-        filter_list = [f"{key} = '{val}'"]
-        vuln_all = Vulnerabilities.query.filter(text("".join(filter_list))).all()
+        vuln_all = Vulnerabilities.query.filter(text("ApplicationId = :id")).params(id=id).all()
         schema = VulnerabilitiesSchema(many=True)
         assets = schema.dump(vuln_all)
         NAV['appbar'] = 'metrics'