By default, does Sonarqube utilize Dynamic Code Execution for its database? If so, are there protective measures taken against code injection?
No. SQL requests are not generated at runtime. They are predefined in MyBatis mapper files like https://github.com/SonarSource/sonarqube/blob/master/server/sonar-db-dao/src/main/resources/org/sonar/db/rule/RuleMapper.xml. Parameters are sanitized by MyBatis.