We are missing SQL taint rules in Sonar.
We are migrating from Coverity to Sonar and we have observed for example this kind of high impact security issues are not detected in Sonar. What can we do to detect such issues in Sonar. We are using Sonarqube enterprise 9.9 version
Issue snipped covered by Coverity but not Sonar.
sql_taint: Insecure concatenation of a SQL statement. The value X is tainted.
Perform one of the following to guard against SQL injection attacks.
- Parameterize the SQL statement, binding tainted values to parameters within the statement.
- Validate user-supplied values against predefined constant values. Concatenate these constant values into the SQL statement.
- Cast tainted values to safe types such as integers. Concatenate these type safe values into the statement.