I am getting the message “Change this code to not construct SQL queries directly from user-controlled data” from SonarQube even though prepared statements with parameterization are used.
In the image supplied, the Update class implements the PreparedStatementCreator interface supported by Spring JdbcTemplate. It uses parameter markers (mapped to question marks in the SQL) for all supplied variables. So it is not vulnerable to SQL injection.
Why does this message appear - is this a bug in SonarQube? Or is it simply by design not capable of performing a deep enough analysis to avoid a false alarm in this case?
I was not aware the SonarQube version my company is using is unsupported.
Unfortunately, these upgrades are handled by someone else, and I am unable to verify that this issue can be reproduced with a supported version.
Additionally, the time spent on creating a minimal code sample is likely higher than manually administering these issues to remove them from the report.
So I am not going to proceed further with this on this forum.
