Indeed, Sonar C and C++ analyzer offers only a limited set of security rules. So far we have maintained our focus on the quality of the code rather than its security. Yet, as you might know, quality and security are correlated.
In particular, we have not invested in the detection of injection vulnerabilities, including the command injection.
We do have it on our radar, however. I have recorded your interest in CPP-4903.