SQL injection detection in .Net project

I am evaluating SonarCloud along with another static analysis tool and noticed that Sonar doesn’t flag any of the potential SQL injection areas that the other tool does. Is there a setting I need to enable?

I am using SonarScanner.MSBuild.exe with the default options for the project that was created in the SonarCloud.io interface.

Hi @steve_c, welcome to the community forum!

Could you share what kind of project you have (which language(s))? Could you also share a snippet of the code that you expected to have been flagged?


Hi @TomVanBraband we are using c# on .Net 4.7.2. Here’s an example:

connection.Execute( String.Format( "IF OBJECT_ID('{0}', 'U') IS NOT NULL DROP TABLE {0}", tableName ) );

Where connection is an System.Data.IDbConnection and Execute comes from Dapper.SqlMapper 1.50.5

I can understand that it’s difficult for the system to know whether tableName is tainted but I would have at least expected it to show in security hotspots.