Sonarqube does not detect Security Hostpot: Formatting SQL queries is security sensitive


I have carried out an analysis on a project that has the following code:

It does not detect any vulnerabilities or any security hostpots. The next rule, shouldn’t it test positive?

Below is the project information and the versions of sonarqube and sonarscanner used.

Language: C#
Use: Sonarqube community
SonarScanner for MSBuild 5.8

Thank you very much in advance,

1 Like

Hey there.

Thanks for the report. In the future, please provide a text-based snippet of code, rather than a screenshot.

Are you using Microsoft.Data.SqlClient? There’s a known false-negative tracked here: FN S2077: Add support for Microsoft SqlClient Data Provider for SQL Server · Issue #6205 · SonarSource/sonar-dotnet · GitHub

1 Like

Thank you very much for your response, Colin.

I forgot to include the code in the text. I am attaching a Github repository with the vulnerability commented. The vulnerability is located between lines 73-100.

I am using the Microsoft.Data.SqlClient library. It seems that there is a false negative reported for that library. Hopefully, they will fix it as soon as possible.

Thanks again!

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.