when I scan the following code:
String q = """ UPDATE users SET is_active = true WHERE name='%s'; """.formatted(args); stmt.execute(q);
SonarCube does not find anything. But when I scan:
String q2 = "UPDATE users SET is_active = true WHERE name='" + args + "';"; stmt.execute(q2);
I get the correct message: “Make sure using a dynamically formatted SQL query is safe here.”. Maybe I am doing something wrong, but it looks like the dynamic SQL is not dected in the multiline string.
Must-share information (formatted with Markdown):
which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
how is SonarQube deployed: zip, Docker, Helm
what are you trying to achieve
Java Code Scan. Tried to detect dynamic SQL
what have you tried so far to achieve this
Do not share screenshots of logs – share the text itself (bonus points for being well-formatted)!