If url is not user-controlled, you are right that there is no vulnerability. The question now is: why does the analyzer think it is user input? Can you share more information about the code, for example how the function is called and what exactly SonarQube reports.
This is the communication between the web side and the code side of the app, but it happens within the same machine that runs the software, so perhaps SonarQube is lead to believe that is user driven.
Is there anyway to code to make the scan pass, I’ve tried some validation of the url string but it has not been successful.
I see, thanks for sharing! If you are certain that an attacker will never be able to reach it, you could simply mark the issue as a false-positive. If you want to harden the code, you could for example use a regular expression to limit the character set. For example, with this method.