Hello @alevenelli,
I did not look at the history of this thread. I just want to react to your specific statement.
SonarQube Community Edition doesn’t detect SQL Injection, this is true and expected. It’s only the SonarQube Developer Edition that comes with a specific taint analyzer able to detect when a malicious input can reach a SQL sink.
The rule S3649 is only provided with SQ DE+ and is not part of SQ CE.
Alex