Hello, I am considerating using SonarQube in my company and would like to ensure something about false negatives. I am using: SonarQube CE server 8.8.0.42792 Gradle plugin id “org.sonarqube” version “3.0” while scanning code to verify against SQL Injection, I noticed that scanner missed manually…

SQL Injection not detected when query is a result of joining function

eric.therond (Eric Therond) April 30, 2021, 5:58pm 5

@voitech I didn’t look at your environment:

s3649 is an injection rule available from SonarQube Developer Edition
So it’s normal you don’t have any issues with SonarQube CE and s3649

Eric

1 Like

Topic		Replies	Views
SonarQube v2025.1 Not Detecting SQL Injection in TypeScript Report False-positive / False-negative... javascript , scanner , coverage , security-hotspot , sonar-scanner	1	44	February 5, 2025
SQL Injection security hotspot not caught by SonarQube Visual Studio csharp , scanner , visualstudio , dotnet	8	5355	November 20, 2019
Sonarqube does not identify sql injection Report False-positive / False-negative... csharp , false-negative	3	1121	June 2, 2021
Database queries should not be vulnerable to injection attacks Report False-positive / False-negative... javascript , sonarqube , security	1	609	September 27, 2022
SonarQube is unable to detect SQL Injection Report False-positive / False-negative...	1	103	June 20, 2024