Doctrine QueryBuilder is supported with the rule S3649 but not for S2077 for the moment. Notice that the detection of injection vulnerabilities like S3649 is available starting SonarQube Commercial Edition.
We will try to add the support of QueryBuilder to the S2077 rule.
Thank you for the report.
Eric