Trigger owasp top ten A1:2017 (injection)

I have created simple java project to demonstrate to my customer how Sonarqube catches an SQL Injection attack, as I have read it can classify OWASP TOP TEN items.
The scan finds a security hotspot when the SQL query is concatenated like this:

final String query = "SELECT * FROM Users WHERE userName = '" + userName + "'";

And the message is “Make sure using a dynamically formatted SQL query is safe here.”.
Going to the Issues tab however, there is nothing reported on this issue under the Security Categories for OWASP Top 10 2021 or 2017.

Are the security categories and tags supposed to be applied automatically here, or have I missed something?

More technical info follows.

The userName parameter is recieved on the server as follows:

    public String index(Model model,
                        @RequestParam(required = false) Integer userid,
                        @RequestParam(required = false) String userName) throws SQLException {

A working injection for this param can look like http://localhost:8090/?userName='+union+select+id,k+as+userName,v+as+fullName+from+secrets+--'

Using Sonarqube Community Edition, Version 10.0 (build 68432) deployed in docker.
Scanning with sonar gradle plugin version
Code is compiled with Java 17, and uses Spring Boot 3.0.6


Welcome to the community!

Taint analysis rules start in Developer Edition($). You can get a license for a free trial from that^ page.