Sonarqube not detecting SQL injection in Java code

Hi All,

We are using Sonarqube Community Edition Version 8.7 with Sonar way Java built in profile as default rules. Below is the Java code having SQL injection issue:
String query = String.format(“select CPROD from table_name where CUSERID_WEBSEAL = ‘%s’”, username);

But the Sonarqube does not detect and report the SQL injection issue.

Can some one guide as to why the SQL injection issue is not reported?

Hi @Ruchi ,

as mentioned here under the Maximum protection with detection of injection flaws paragrah (and on the rules website, at the bottom of each rule), SQL injection rules are available in Developer Edition ($) and above, and not in the Community Edition.
If you want to try SonarQube for Security Analysis, reach out to us here !

Have a nice day

1 Like

Thanks @Carine_Bayon for the reply. We tried running the report in the trial version of Sonarqube Enterprise edition . But still the security report could not detect the SQL injection issue in the below Java code:

String query = String.format(“select column_name from table_name where column_name = ‘%s’”, username);

Can you please guide as to why the SQL injection issue is not reported?