Hi,
This concern TSQL.
The rule in question is S1523 Dynamically executing code is security-sensitive.
I believe there is a False Negative as SonarQube do not flag any issue if a dynamic query is passed as a variable.
I am using SonarQube 9.9 Developer edition.
Here is an example of the issue taken straight from the Sensitive Code Example of S1523 with the query passed as a variable instead, this will not be flagged as an issue:
CREATE PROCEDURE USER_BY_EMAIL(@email VARCHAR(255)) AS
BEGIN
DECLARE @SqlString NVARCAHR(MAX) = 'USE AuthDB; SELECT id FROM user WHERE email ''' + @email + ''' ;' -- Sensitive: could inject code using @email
EXEC @SqlString
END
GO
Using EXEC sp_executesql @SqlString
in the previous sample will also not be flagged as an issue.
Thanks,
Ludovic