Hi, I read (here: SonarCloud Community: Major updates on security rules for Python, C# and Java) that SonarCloud should support C # code analysis against SqlInjection even using Dapper. I have the following code:
public async Task<UserDto[]> FindAll(string param)
{
SqlCommand command;
string sensitiveQuery = string.Format("INSERT INTO Users (name) VALUES (\"{0}\")", param);
command = new SqlCommand(sensitiveQuery); // Correctly detected
using (var uow = ConnectionProvider.Create())
{
var entities = await uow.QueryAsync<UserDto>(sensitiveQuery); // Not detected
return entities.ToArray();
}
}
Sonar correctly identifies line 5 as dangerous, but does not mark line 9 as a potential risk.
Can you please advise me how to arrange the designation of line 9 as a potential risk?
Tested on https://sonarcloud.io/ and on SonarLint VS add-on (version 4.25.0.20544)