mgravell
commented
2 years ago Veracode is incorrect - meaning: this is a false positive. Dapper fully supports and encourages parameterization - that is a key design goal. If consumers use Dapper incorrectly and pass in concatenated queries, then yes: that code will be dangerous, but that's not a fault in Dapper - every tool can be used incorrectly.
If you're reporting this because you got an automated flag from a tool: I'd strongly suggest adding an override in this case. If you're reporting this because you have suggestions on how we can further discourage incorrect usage, then great: we're all ears, but that's going to need a more nuanced discussion than "computer says bad"
Veracode static scan reports SQL injection on following methods,
dapper.dll -> SqlMapper.cs -> ExecuteCommand dapper.dll -> SqlMapper.cs -> ExecuteReaderWithFlagsFallback
Recommendations: Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible.