We have just started looking in to and using SonarQube and am very impressed with it.
Are using is over a legacy PHP code base and there are some templates that have triggered the SQL injection security issue.
This rule has the text:
The current implementation does not follow variables. It will only detect SQL queries which are concatenated or contain a '$' sign directly in the function call.
Are there a library of community rules that can follow the variables and check them?
Also: is there a community repo of rules that are shared?