I am evaluating SonarCloud along with another static analysis tool and noticed that Sonar doesn’t flag any of the potential SQL injection areas that the other tool does. Is there a setting I need to enable?
I am using SonarScanner.MSBuild.exe with the default options for the project that was created in the SonarCloud.io interface.
Hi @steve_c, welcome to the community forum!
Could you share what kind of project you have (which language(s))? Could you also share a snippet of the code that you expected to have been flagged?
Thanks,
Tom
Hi @TomVanBraband we are using c# on .Net 4.7.2. Here’s an example:
connection.Execute( String.Format( "IF OBJECT_ID('{0}', 'U') IS NOT NULL DROP TABLE {0}", tableName ) );
Where connection is an System.Data.IDbConnection and Execute comes from Dapper.SqlMapper 1.50.5
I can understand that it’s difficult for the system to know whether tableName is tainted but I would have at least expected it to show in security hotspots.