SonarQube scanned the following source code using Mybatis for O/R Mapper, but it could not detect SQL Injection.
/**
* This API registers in the DB the string set in the parameter without escaping.
* @param str The string you want to insert.
*/
@Insert("INSERT INTO ECHO (VOICE) VALUES ( ${str})")
void EchoSqlInjection(String str);
Can SonarQube detect SQL Injection in source code using MyBatis?