Sql injection code is not failing in sonarqube why?

David15 · December 23, 2024, 5:53am

I have sampe.sql file . The file has sql injection issue, but still sonarqube Quaity gate is passed.
Why sonarqube is not detecting it.
below is my sample. sql

BEGIN 
  CREATE TABLE Users (
    UserID INT PRIMARY KEY,
    UserName VARCHAR(50),
    Password VARCHAR(50)
  );
   
  DECLARE @UserName VARCHAR(50);
  DECLARE @Password VARCHAR(50);
  DECLARE @SQLQuery NVARCHAR(1000);
   
  -- Hardcoded credentials
  SET @UserName = 'admin'; 
  SET @Password = 'password123'; -- Hardcoded password
   
  SET @SQLQuery = N'SELECT * FROM Users WHERE UserName = ''' + @UserName + ''' AND Password = ''' + @Password + '''';
  
  EXEC sp_executesql @SQLQuery;
END

Colin · December 24, 2024, 8:21am

Hey there.

When I analyze this code as T-SQL, I get a security hotspot raised to review the hardcoded password.

Are you expecting another issue to be raised?

David15 · December 31, 2024, 7:52am

When I analyzed the code as T-SQL, I identified a security hotspot.

Thanks for your assistance.

Topic		Replies	Views
TSQL Project - Sql Injection not detected SonarQube Server / Community Build tsql	1	561	September 20, 2021
Sonarqube not detecting SQL injection in Java code SonarQube Server / Community Build	2	1132	March 25, 2021
Not detecting code with potential for sql injection SonarQube Server / Community Build csharp , security	9	1667	August 27, 2021
SQL Injection security hotspot not caught by SonarQube Visual Studio csharp , scanner , visualstudio , dotnet	8	5319	November 20, 2019
SonarQube isn't detecting SQL injection coding issues SonarQube Server / Community Build sonarqube , scanner	1	17	February 28, 2025

Sql injection code is not failing in sonarqube why?

Related topics