Sonarqube does not identify sql injection


I am testing Sonarqube to see if it can identify the vulnerability to Sql Injection using a Web App in C #. Previously I tried to perform the same test and had this same false positive, indicating that there were no vulnerabilities in the code even if I knew they were there. However, I ended up discovering here that this was because I was using a Console Application, and I was advised that this vulnerability would only be identified if it used a Web App, I did that, but Sonar continues with this false positive.

This is the new code repo:

Hi @gabirlSilva,

It looks like you’re using Ngpsql, which is not a framework that we support for SQL Injection vulnerabilities. You can find the currently supported list for C# here.



Hi Cameron,

Thank you very much, if possible, could you give me an example, I didn’t understand this list very well.



Hi Gabriel,

This example on our rules site uses MS Entity Framework, which is one of the supported frameworks. The way this works under the hood is that the SonarQube SAST engine is pre-configured to recognize dangerous data sources and dangerous operations like executing a database query. We do this for the most common frameworks in each language, so this line using Entity Framework:

            if (_context.Database.ExecuteSqlCommand(query) > 0) // Noncompliant

is recognized as a dangerous operation. Because we don’t support Ngpsql, this line is not:

            new NpgsqlCommand(souUmaInjection, connection);

I hope that helps make it clearer.