False positive of rule plsql:S1523

Hi, I ran into what I think is a false positive of rule plsql:S1523 (Dynamically executing code is security-sensitive). The code being flagged looks like this:
EXECUTE IMMEDIATE ‘DROP TABLE MyTable’ with no variables. In my opinion this is not dynamic code since this is a string literal.

Hi @KjartanThK, welcome to the Community!

I’ve taken the liberty to move this post to the “Rules and Languages > Report False-positive / False-negative…” category (you initially created it under “Rules and Languages”). No big deal :smile:.

That being said, I tried reproducing your false positive by simply analyzing a file containing this:

EXECUTE IMMEDIATE 'DROP TABLE MyTable'

And I didn’t get plsql:S1523 to trigger. Could you please clarify:

  • In your simplification of the actual code, you might have omitted something important. Could you share something that resembles your code more closely and that still triggers the rule? You could perhaps test it yourself by creating a dummy branch/PR and analyzing it, to make sure the snippet triggers a rule.
  • Which SonarQube product and version are you using?

Hi Andrés, thank you.

I´ve seen this in a few repositories and at least over a hundred instances so this is pretty consistent behavior. My guess is that this has been fixed since we’re running an outdated version: Enterprise Edition v2025.6.1 (117629).

We are in the process of upgrading to a more recent version though so if this is the case it will resolve itself. However if there´s some way to send this to you privately I can share the source file as is.

I tried analyzing the snippet on 2025.6 too, and still no issue. So this probably means that I need the full file to reproduce it, and that there are no guarantees this is fixed in a later version. I’ll message you privately.

Small correction: I think it will be more productive if instead I flag this for the devs, and then they will be the ones messaging you privately so you can share the file. Now that you confirmed that you are willing to share it, I prefer to just streamline the interaction and skip the middle man (me :joy: ).

Thank you very much.