SonarQube Database Question

database

(Patrick Walker) #1

By default, does Sonarqube utilize Dynamic Code Execution for its database? If so, are there protective measures taken against code injection?


(Simon Brandhof) #2

No. SQL requests are not generated at runtime. They are predefined in MyBatis mapper files like https://github.com/SonarSource/sonarqube/blob/master/server/sonar-db-dao/src/main/resources/org/sonar/db/rule/RuleMapper.xml. Parameters are sanitized by MyBatis.