TSQL Project - Sql Injection not detected

Philip_Rowley · September 3, 2021, 12:08pm

I created a stored procedure in TSQL with a SQL Injection risk to see if it would be identified by SonarQube.
The build is in azure with Prepare Analysis, Run Code Analysis and Publish Quality Gate Result.
Code smells are identified, however Sql Injection risk was not identified.
Is it possible for SonarQube to identify Sql Injection.

declare @sql nvarchar(max)
select @sql = 'select Code, Messages from ShopItems where ShopItemID = '+@PurchaseID
select @sql
EXEC sp_executesql @sql

I am using data center edition 8.4.2

Thanks Phil

pynicolas · September 20, 2021, 2:47pm

Hi,

Indeed, such a case should be caught by the rule named Dynamically executing code is security-sensitive.
This is definitely a false negative and we should fix it.
Ticket created: SONARTSQL-271

Thanks a lot for your feedback!
Pierre-Yves