I’m evaluating Sonarqube developer edition v10.6, using dotnet-sonarscanner.
I’m scanning a .net core project on my local machine to which I’ve added a sql injection vulnerability. This is the code I’ve added:
public async Task<List<InvoiceRDA>> GetRFAInvoicesWithDateFormDB2(string storeNumber, string fromDate, string toDate,string itemNumber)
{
List<InvoiceRDA> rfaInvoiceDetails = new List<InvoiceRDA>();
using (var connection = new DB2Connection(_options.IBMDB2Connection)) //new SqlConnection(_options.IBMDB2Connection)) //new System.Data.Odbc.OdbcConnection(_options.IBMDB2Connection))
{
try
{
string queryString = string.Empty;
if (string.IsNullOrEmpty(itemNumber))
{
queryString = CLAIMS_GET_RFA_INVOICES_WITH_DATE.Replace("@storeNumber", storeNumber.PadLeft(5, '0')).ToString();
} else
[SQLinject-sonar.txt|attachment](upload://9cCZre2iWevgMmyipnVTKkcDoVK.txt) (10.4 KB)
{
queryString = CLAIMS_GET_RFA_INVOICES_WITH_DATE_ITEMNBR.Replace("@storeNumber", storeNumber.PadLeft(5, '0')).ToString();
queryString = queryString.Replace("@itemNumber", itemNumber);
}
queryString = string.Format(queryString, fromDate, toDate, _options.Environment);
rfaInvoiceDetails = (await connection.QuerySqlAsync<InvoiceRDA>(queryString)).ToList();
}
The scan completes normally, but it’s not reporting any sql injection vulnerability.
I just set this server up, is there something I need to do to enable the security vulnerability scanning?