I believe there is a False Negative as SonarQube do not flag any issue if a dynamic query is passed as a variable.
I am using SonarQube 9.9 Developer edition.
Here is an example of the issue taken straight from the Sensitive Code Example of S1523 with the query passed as a variable instead, this will not be flagged as an issue:
CREATE PROCEDURE USER_BY_EMAIL(@email VARCHAR(255)) AS
BEGIN
DECLARE @SqlString NVARCAHR(MAX) = 'USE AuthDB; SELECT id FROM user WHERE email ''' + @email + ''' ;' -- Sensitive: could inject code using @email
EXEC @SqlString
END
GO
Using EXEC sp_executesql @SqlString in the previous sample will also not be flagged as an issue.
I can confirm that this should raise but it does not.
The main culprit from my understanding does not seem to be SonarQube, but the parentheses around @SqlString, or in your case the lack of them.
Technically both EXEC (@this) and EXEC @this are valid T-SQL, but for some reason we fail to report on the second one.
You can see this for yourself, if you are curious: Just by wrapping the argument of EXEC in parentheses, you should see an issue being raised as expected.
I opened an issue about it in our T-SQL dedicated backlog.