I created a stored procedure in TSQL with a SQL Injection risk to see if it would be identified by SonarQube.
The build is in azure with Prepare Analysis, Run Code Analysis and Publish Quality Gate Result.
Code smells are identified, however Sql Injection risk was not identified.
Is it possible for SonarQube to identify Sql Injection.
declare @sql nvarchar(max)
select @sql = 'select Code, Messages from ShopItems where ShopItemID = '+@PurchaseID
EXEC sp_executesql @sql
I am using data center edition 8.4.2