[question]: HIGH RISK vulnerables in Security report using OneSignal SDK

[billyu1228]

How can we help?

from security report from scan:

There is 'execSQL()' found in file 'com/onesignal/core/internal/database/impl/OSDatabase.java':

[line 458: safeExecSQL(sQLiteDatabase, "ALTER TABLE notification ADD COLUMN expire_time TIMESTAMP;");]
[line 459: safeExecSQL(sQLiteDatabase, "UPDATE notification SET expire_time = created_time + 259200;");]
[line 460: safeExecSQL(sQLiteDatabase, OneSignalDbContract.NotificationTable.INDEX_CREATE_EXPIRE_TIME);]
[line 461: }]
[line 512: if (!StringsKt.startsWith$default(str, "sqlite_", false, 2, (Object) null)) {]
[line 513: db.execSQL("DROP TABLE IF EXISTS " + str);]
[line 514: }]

There is 'execSQL()' found in file 'com/onesignal/session/internal/outcomes/impl/OutcomeTableProvider.java':

[line 69: db.execSQL("INSERT INTO cached_unique_outcome(_id,name,channel_influence_id) SELECT _id,name,notification_id FROM cached_unique_outcome_notification;");]
[line 70: db.execSQL("UPDATE cached_unique_outcome SET channel_type = '" + InfluenceChannel.NOTIFICATION + "';");]
[line 71: db.execSQL("DROP TABLE cached_unique_outcome_notification;");]
[line 72: } catch (SQLiteException e) {]

Example of secure code:
PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET SALARY = ? WHERE ID = ?");
pstmt.setBigDecimal(1, 153833.00)
pstmt.setInt(2, 110592)

Example of insecure code:
db.rawQuery("SELECT username FROM users_table WHERE id = '" + input_id +"'");
db.execSQL("SELECT username FROM users_table WHERE id = '" + input_id +"'");

Environment
Android SDK: Android 11
reac-native OneSignal SDK: 5.2.4

how can i fix it?
or
how can i explain to Security team that is safe to ignore?

Code of Conduct

• I agree to follow this project's Code of Conduct