SharePoint List subjected to SQL Injection

Hi all,

My appscan picked up a security vulnerability stating "/_api/web/siteusers" as being vulnerable to SQL injection. 

I know that this is not a security concerns as users cannot update the list and some where along the line that SharePoint list is not SQL. But my words are not reaching the security people.

I would like to check if someone from Microsoft can provide a statement stating that ShaerPoint API are not subjected to SQL injection vulnerabilities and doesnt interact with the SQL DB directly.

Thanks!