Hello @andrew.williams,
I scanned the OWASP Benchmark for Java last August 2019 in the context of writing this article: Takeaways from building a SAST product, and why OWASP benchmark is not enough
You can check the results here: https://sonarcloud.io/dashboard?id=org.owasp%3Abenchmark%3Aagigleux. Have in mind that the OWASP Benchmark is only containing Java cases and no C# cases.
Would you be able to share a zip file or best a public repository containing your reproducer so we can investigate why there is no issue raise on your simple SQLi case?
Thanks