Print out all SQL statements

elaine-tang · April 2, 2020, 5:29am

Is there a way to print out all SQL statements which SonarQube has analyzed, not just the vulnerable ones?

Alexandre_Frigout · April 2, 2020, 9:44am

Hello,
In the code section of your project in the SonarQube UI all the analysed code is displayed.
Is it what you are looking for ?
Alex.

eric.therond · April 2, 2020, 1:07pm

Hello @elaine-tang and welcome to the community

There are two complementary security-rules for tracking “unsecure SQL statements”:

RSPEC-3649 that is triggered when SQL statements are created from user-controlled input, this is an injection rule, and the whole flow from input to sink (database query) is displayed in the SonarQube UI.
RSPEC-2077 a security-hotspot rule that is triggered when an SQL statement is dynamically created (from an user-controlled input or not) thus mostly when prepared statements are not used or incorrectly.

For the last rule, it is true that we display only when the database query is performed and not in all the locations where the SQL statement is initizialized or assigned.

It is a known problem and we are working to find a solution.
We will notify you when this happen.

Eric