Developer edition not picking up SQL injections

I’m evaluating Sonarqube developer edition v10.6, using dotnet-sonarscanner.
I’m scanning a .net core project on my local machine to which I’ve added a sql injection vulnerability. This is the code I’ve added:

public async Task<List<InvoiceRDA>> GetRFAInvoicesWithDateFormDB2(string storeNumber, string fromDate, string toDate,string itemNumber)
        {
            List<InvoiceRDA> rfaInvoiceDetails = new List<InvoiceRDA>();
            using (var connection = new DB2Connection(_options.IBMDB2Connection)) //new SqlConnection(_options.IBMDB2Connection)) //new System.Data.Odbc.OdbcConnection(_options.IBMDB2Connection))
            {
                try
                {
                    string queryString = string.Empty;
                    if (string.IsNullOrEmpty(itemNumber))
                    {
                         queryString = CLAIMS_GET_RFA_INVOICES_WITH_DATE.Replace("@storeNumber", storeNumber.PadLeft(5, '0')).ToString();
                    } else
[SQLinject-sonar.txt|attachment](upload://9cCZre2iWevgMmyipnVTKkcDoVK.txt) (10.4 KB)

                    {
                        queryString = CLAIMS_GET_RFA_INVOICES_WITH_DATE_ITEMNBR.Replace("@storeNumber", storeNumber.PadLeft(5, '0')).ToString();
                        queryString = queryString.Replace("@itemNumber", itemNumber);
                    }
                    
                    queryString = string.Format(queryString, fromDate, toDate, _options.Environment);
                    rfaInvoiceDetails = (await connection.QuerySqlAsync<InvoiceRDA>(queryString)).ToList();
                }

The scan completes normally, but it’s not reporting any sql injection vulnerability.
I just set this server up, is there something I need to do to enable the security vulnerability scanning?

1 Like

Hi,
Thank you for your post. I will look at this issue and come back to you asap.
Regards
Sebastien

Can I please have an update on this?

Hey @Tamanna

Please review our FAQ, and have some patience.

I created a topic, when can I expect a response?

This is an open community with people volunteering their free time to provide assistance. We’re eager to contribute to the community, but you are not guaranteed a fast response.

Be patient

  • Wait a few days before bumping a topic that hasn’t received a response.
  • Do not @name mention individuals not involved in the topic.

Contribute as much as you expect to receive

  • Contribute to the community (helping others) as much as you expect to receive help.

It is not a replacement for more structured support

  • If you need SLAs, guaranteed response, privacy, SonarSource also offers Commercial Support.

Hi,

I would need some more information:

  • what is QuerySqlAsync exactly? I do not think it is part of .NET Core.
  • what is the context exactly? I assume that GetRFAInvoicesWithDateFormDB2 is in a controller, but which kind?

Regards
Sebastien

Hi,

We are using the Insight.Database.Core package, the method .QuerySqlAsync is an extension method from the Insight package.
Also, what are my options to know what all library does sonar support in terms of SQL.

Thanks,
Tamanna

Hi,
We do not support the Insight.Database.Core package, which is why the SQL injection is not detected. Our current support of .NET Core is quite limited for the moment. We have worked on this over the past weeks and will continue this effort in the coming months. I can’t give a precise list of packages we are supporting as this is evolving all the time.
Regards
Sebastien