Code QL not finding sql server injection attack

[mbowlin-insight]

I created a sample SQL Server injection attack, and CodeQL is not recognizing the vulnerability. If I do the same thing for a PostgreSQL database, it recognizes the vulnerability.

No Error found:

Error found:

Any ideas on why this would be the case?

[rvermeulen]

Hi @mbowlin-insight,

Thanks for the report. We will investigate this FN and provide an update as soon as possible.

[michaelnebel]

Thank you for reporting this. This might very well be a lack models for the SqlCommand in Microsoft.Data.SqlClient.

[michaelnebel]

@mbowlin-insight : It turns out we do have some modelling for Microsoft.Data.SqlClient.SqlCommand but it is based on the inheritance hierarchy (and not directly on this type). It is possible to me to re-produce a similar example with an alert using the Microsoft.Data.SqlClient.SqlCommand. Is the database extracted using build-mode: none (used by default setup) or traced extraction (you have provided your own build command)? Is it possible for you to share the database?

[michaelnebel]

Will try to make some native models for Microsoft.Data.SqlClient.SqlCommand that isn't based on the inheritance hierarchy. Also, it looks like we haven't modelled Microsoft.Data.SqlClient.SqlDataAdapter - this will be done as well.
However, I don't know whether this will fix the reported issue (then I need more information).
The PR is opened here.

[mbowlin-insight]

It is modeled with ```build-mode: none

I will see if I can get the database to share with you.

[michaelnebel]

PR is merged. Maybe it will solve the issue.