Unfortunately, the code snippet does not contain enough information to tell why the issue is not detected. Is it possible for you to share a more complete reproducer that is compilable? I can establish a private channel if you would like to share it privately.
Thanks a lot for your reply.
This method has a query that is constructed by concatenating strings from the method parameters. You can replace the Utility.GetConnection() by any Database Connection and the code will build.
There are multiple things that could be the cause:
The source of the user input is not defined as a source in the analyzer.
The sensitive function is not defined as a sink in the analyzer.
The analyzer can not follow the execution flow for some reason, for example, if reflection is involved it is not always clear what the execution flow will look like.
All three things are very specific to your code, so to be able to tell why no issue is detected I will need to see the code or a simplified version of the code that consists of the source and the sink.
For example, in the code var _connection = Utility.GetSafeerConnection() is used to get an object of the class but I can’t see out of this code which class that is.
We are not doing any exclusion or modification in the analyzer.
We are using SonarScanner for MSBuild 5.3.1 and Using the .NET Framework version of the Scanner for MSBuild.
The issue that should be detected is in this line:
var _query = "Select * From " + schemaName + “.” + lookupName;
In the above line we can inject other queries in the lookupName.
The line by itself is just a string assignment. It only becomes an issue if either schemaName or lookupName are untrusted (in practice, user input), and _query ends up in a function that executes SQL queries. The analyzer needs to know these things to understand that it is a SQL injection. To do that it uses a built-in list of classes/methods/variables that are untrusted and a list of methods that execute SQL queries, among other things. If either one of those that you use is not defined in the built-in list, the analyzer will not be able to detect that it is a SQL injection. For this reason, it is important to know exactly which ones are used in your code.
But SQL Queries are known by syntax. Every query starts with Select * From or Update or Delete or Insert and if there is any concatenation after these words, it should be treated as SQL Injection or at least as Security Hotspot.
It could be an approach but it is a quite limited one. There is a high chance of having both false-positives and false-negatives.
The approach that we follow is quite precise and also works for all the other types of injection vulnerabilities like Cross-Site Scripting. It does require knowledge about certain functions though that are not even part of the code that gets scanned but come from dependencies.
So without the actual code, as described in my previous messages, there is really nothing I can do here.
Below is a simplified version of the code, you can add it to any class.
public async Task<List<T>> GetLookup<T>(string lookupName, string schemaName = "") where T : class
{
if (string.IsNullOrEmpty(schemaName))
schemaName = "Lookup";
var _query = "Select * From " + schemaName + "." + lookupName;
using (var _connection = new SqlConnection(""))
{
var _list = await _connection.QueryAsync<T>(_query);
return _list.OfType<T>().ToList();
}
}