Skip to content

Suppressed CodeQL alerts related to tainted SQL command text.#4028

Merged
cheenamalhotra merged 1 commit intomainfrom
dev/paul/codeql
Mar 10, 2026
Merged

Suppressed CodeQL alerts related to tainted SQL command text.#4028
cheenamalhotra merged 1 commit intomainfrom
dev/paul/codeql

Conversation

@paulmedynski
Copy link
Contributor

@paulmedynski paulmedynski commented Mar 10, 2026

Description

Suppressed CodeQL alerts related to tainted SQL command text. Accepting T-SQL from an app and executing it is a core feature of the driver.

Testing

No testing concerns. I will watch the CodeQL dashboard to see if these suppressions work as intended.

@paulmedynski paulmedynski requested a review from a team as a code owner March 10, 2026 16:40
Copilot AI review requested due to automatic review settings March 10, 2026 16:40
@github-project-automation github-project-automation bot moved this to To triage in SqlClient Board Mar 10, 2026
@paulmedynski paulmedynski moved this from To triage to In review in SqlClient Board Mar 10, 2026
@paulmedynski paulmedynski added the Area\Engineering Use this for issues that are targeted for changes in the 'eng' folder or build systems. label Mar 10, 2026
@paulmedynski paulmedynski added this to the 7.0.0 milestone Mar 10, 2026
Copilot AI reviewed Mar 10, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR aims to suppress CodeQL findings that flag assigning potentially tainted SQL text into SqlCommand.CommandText, on the basis that executing caller-provided T-SQL is expected behavior for a SQL client driver.

Changes:

  • Added inline comments intended to suppress CodeQL alerts on CommandText assignments in SqlCommand constructors (including the copy constructor).
  • Minor whitespace/formatting cleanup in the touched regions.

You can also share your feedback on Copilot code review. Take the survey.

@codecov
Copy link

codecov bot commented Mar 10, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 65.03%. Comparing base (326a242) to head (9141a22).
⚠️ Report is 2 commits behind head on main.

❗ There is a different number of reports uploaded between BASE (326a242) and HEAD (9141a22). Click for more details.

HEAD has 1 upload less than BASE
Flag BASE (326a242) HEAD (9141a22)
CI-SqlClient 1 0
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #4028      +/-   ##
==========================================
- Coverage   72.65%   65.03%   -7.62%     
==========================================
  Files         287      282       -5     
  Lines       43134    66043   +22909     
==========================================
+ Hits        31337    42953   +11616     
- Misses      11797    23090   +11293
Flag Coverage Δ
CI-SqlClient ?
PR-SqlClient-Project 65.03% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@cheenamalhotra cheenamalhotra merged commit b7f5e88 into main Mar 10, 2026
300 checks passed
@github-project-automation github-project-automation bot moved this from In review to Done in SqlClient Board Mar 10, 2026
@cheenamalhotra cheenamalhotra deleted the dev/paul/codeql branch March 10, 2026 18:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@mdaigle mdaigle mdaigle approved these changes

@cheenamalhotra cheenamalhotra cheenamalhotra approved these changes

Assignees

No one assigned

Labels

Area\Engineering Use this for issues that are targeted for changes in the 'eng' folder or build systems.

Projects

SqlClient Board
Status: Done

Milestone

7.0.0

Development

Successfully merging this pull request may close these issues.

4 participants

@paulmedynski @mdaigle @cheenamalhotra