TSQL Project - Sql Injection not detected

I created a stored procedure in TSQL with a SQL Injection risk to see if it would be identified by SonarQube.
The build is in azure with Prepare Analysis, Run Code Analysis and Publish Quality Gate Result.
Code smells are identified, however Sql Injection risk was not identified.
Is it possible for SonarQube to identify Sql Injection.

declare @sql nvarchar(max)
select @sql = 'select Code, Messages from ShopItems where ShopItemID = '+@PurchaseID
select @sql
EXEC sp_executesql @sql

I am using data center edition 8.4.2

Thanks Phil


Indeed, such a case should be caught by the rule named Dynamically executing code is security-sensitive.
This is definitely a false negative and we should fix it.
Ticket created: SONARTSQL-271

Thanks a lot for your feedback!