NoSQL injection not detected

My open source repo has an example Flask (view)[test sonar nosq by clavedeluna · Pull Request #508 · pixee/codemodder-python · GitHub] that uses the example from the (sonar nosql rule)[Python static code analysis] (except with correct code). However, the sonarcloud analysis (here)[SonarCloud] did not pick up the nosql vulnerability. I checked that the quality profile it uses has this rule enabled and it is enabled. Anything else I can do?

Hey Dani,

the issue is not found because request is not used correctly. Try it like this:

import boto3
from flask import Flask, request
import os

app = Flask(__name__)
AWS_SESSION = boto3.Session(

def login():
    dynamodb = AWS_SESSION.client("dynamodb")

    username = request.args["username"]
    password = request.args["password"]

        FilterExpression="username = " + username + " and password = " + password,

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.