How to deal with this SQL injection warning (CA2100)

Question

Below is the code I got from Microsoft page: SqlCommand

public static Int32 ExecuteNonQuery(String connectionString, String commandText, CommandType commandType, params SqlParameter[] parameters)
{
        using (SqlConnection conn = new SqlConnection(connectionString))
        {
            using (SqlCommand cmd = new SqlCommand(commandText, conn))
            {
                // There're three command types: StoredProcedure, Text, TableDirect. The TableDirect 
                // type is only for OLE DB.  
                cmd.CommandType = commandType;
                cmd.Parameters.AddRange(parameters);

                conn.Open();
                return cmd.ExecuteNonQuery();
            }
        }
}

However, VS code analysis still complains about "CA2100":

Warning CA2100 The query string passed to 'SqlCommand.SqlCommand(string, SqlConnection)' in 'FlexClaimFormRepository.ExecuteNonQuery(string, string, CommandType, params SqlParameter[])' could contain the following variables 'commandText'. If any of these variables could come from user input, consider using a stored procedure or a parameterized SQL query instead of building the query with string concatenations.

I know the exact reason why the warning is there, but anyidea on how to get rid of it? Given setting commandText inside the function is not acceptable since I want it to be a parameter.

Answer 1

I know this question is old, but maybe this will help someone with the same issue. I also was using a stored procedure and therefore suppressed the warning using the information from this article from Microsoft: https://learn.microsoft.com/en-us/visualstudio/code-quality/in-source-suppression-overview?view=vs-2019 .

Here's the attribute I added to my method:

[System.Diagnostics.CodeAnalysis.SuppressMessage("Security", "CA2100:Review SQL queries for security vulnerabilities", Justification = "Method already uses a Stored Procedure")]