SQL calls that are flagged with S2077 in SQ 7.0 (Community) aren’t flagged in 8.5. I realize S2077 is now a hotspot, but I’m able to get other hotspots from 8.5 so that’s not the issue.
For instance, code that forms a String s by concatenating some literals, variables, and method calls, then calls c.prepareStatement(s) (where c is a Connection object) gets flagged in 7.0 but not 8.5.
Has the interprocedural analysis in 8.5 improved (over 7.0) so that it can detect that the pieces concatenated to form s are all locally generated, so no injection is possible? Or is it something else?