Take a look at this code:
var url = "https://mydatabase.documents.azure.com:443/";
var db = "my-db";
var key = "mykey";
var sqlQueryText = $"SELECT * FROM CelCoinData f WHERE f.id = '{data.UniversalId}' and f.uri = '{data.Uri}'";
var cliente = new CosmosClient(url, key);
var database = cliente.GetDatabase(db);
var containers = database.GetContainer("MyContainer");
var dados = new DataCosmosDB();
var iterator = containers.GetItemQueryIterator<DataCosmosDB>(sqlQueryText);
in my opinion, this is text book SQL Injection, but SonarCloud does not flag it so. WHY?
Is Cosmos invulnerable to it? Does the cosmos client somehow figures this and adjust accordantly and sonar is aware of this?
According to SonarCloud support, Cosmos is not detected as a SINK yet. they will make the appropriate changes