Python SAST engine sinks config

Hello,

I am looking into the S3649 SQL Injection rule for python and while trying it out with the clickhouse-connect library I realized it does not work with this library’s methods. So I tried to set a custom configuration for the Python SAST engine, that marks the query_df method of the Client class as a sink.

This did not work for me and I also tried to set some other python methods as sinks just for test and none worked. The configuration I used is the following:

{
    "S3649": {
        "sinks": [
            {
                "methodId": "clickhouse_connect.driver.client.Client.query_df",
                "args": [
                  1
                ]
            }
        ]
    }
}

Maybe I set the methodId wrong or there is something else I missed.

Also below you can see that the rule works for mysql-connector.

image1697×1114 79.1 KB

And this is my test code for clickhouse where sonar does not detect any issue.

image1744×1116 114 KB

If you have any idea what is wrong, or what I missed, would be great!

Also I am running Sonarqube Server Enterprise Edition v2025.3.1.

Thanks!

Hello Victor,

Thanks for reporting this.
I had a look: the custom config you have defined is correct.

The problem comes from the analyzer. It unfortunately fails to properly resolve the types of the objects used in the code.
In your example, the create_client method invocation returns an instance of HttpClient, a subclass of clickhouse_connect.driver.client.Client, but the analyzer does not recognize and know this method, so it fails to resolve the create_client method invocation to the proper method id defined in the custom config.

I have created two tickets on our side: the first to add type information of the clickhouse-connect library in our analyzer if possible, and the second to have custom configuration define basic types.

I will update this thread once the there has been progress on these tickets.

Thanks again for your post.

Kind regards,
-Christophe