Hi,
As suggested by @mseaton at [1], I was going through the code to find the possible security holes and thought of using a tool.
I used the LAPSE tool [2] and generated a report for reporting module. Please find the report at [3].
I have marked some sinks in red for SQL injection and AFAIU, I think there is a vulnerability since they replacing the values in the PreparedStatement instead of using setValue method.
Before discussing these I think, it is better to have the report with us. I am scanning the openmrs-core as well and will give the report ASAP. Also I am manually going through the report issues to find out whether they are really needed to be fixed.
It is true that most of these are False positive,since it is doing static analysis But I think it will be a good step to prevent security vulnerabilities in our code, which indeed increase the quality of our product.
ZAP [4], is another penetration testing tool, which will find vulnerabilities dynamically. So using that we will be able to get more positive results. I hope to do that ASAP and provide the report ASAP.
AFAIK, both of these static and dynamic analysis should be done to get the best out of it.
As a newbie, I don’t know what has happened in the past. So please point, to the past work that openmrs has done regarding this. 
[1] https://github.com/openmrs/openmrs-module-reporting/pull/112 [2] https://www.owasp.org/index.php/OWASP_LAPSE_Project [3] https://docs.google.com/spreadsheets/d/1GdInFzU-M8O36ZQwI2Kr9n0gQeNACMH-RpCasfx-vRY/ [4] https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
Thanks & Regards, @ttcphilips
