Open mattwatsonad opened 2 years ago
Hi @mattwatsonad, thanks for reporting the issue. I can confirm the false negative.
Base on the documentation-system-formattablestring)), interpolated string are safe.
Any interpolated parameter values you supply will automatically be converted to a DbParameter
Before closing this issue we need to update the reproduced to remove the // Compliant - FN
comments.
Description
When using DataContext.TableName.FromSql("") sql injection hotspots are not being picked up.
Repro steps
Expected behavior
It should identify that that user-input is being put straight into a string executed as sql, and flag as a hotspot.
Actual behavior
No issues of any kind detected on above snippet
Known workarounds
None
Related information
SonarQube Developer Edition Version 9.3 (build 51899) ASP.NET Core 3.1 C# Project