SonarQube cannot detect SQL Injection

SonarQube scanned the following source code using Mybatis for O/R Mapper, but it could not detect SQL Injection.

/**
 *  This API registers in the DB the string set in the parameter without escaping.
 * @param str The string you want to insert.
 */
@Insert("INSERT INTO ECHO (VOICE) VALUES ( ${str})")
void EchoSqlInjection(String str);

Can SonarQube detect SQL Injection in source code using MyBatis?

Hey there.

What version of SonarQubea re you using? What edition?

I am using the following version.

  • Edition: Developer Edition
  • Version: Version 9.5 (build 56709)

Hello @itoh110!

Welcome to our community, and thanks a lot for your post and precisions.

This library is not supported yet, but we can add it! :blush: I am going to create an internal ticket to add it.

If you don’t mind, can you tell me more about how you use this library ?
For example:

  • Do you have a specific use case for it
  • Is this in a professional environment, in production?
  • Do you use Mybatis, Mybatis-Spring, or an equivalent?
  • Do you declare this kind of function in interfaces, as the docs illustrate?

Having real-life insights about this library will help me a lot in understanding how we should internally address it.

Thanks a lot!

Cheers,

Loris