VeraCode flags SQL injection when using a variable database name in prepared statements

In my application, I’m working with a SQL Server containing numerous databases that share the same table structure. I need to execute queries similar to the following:

SELECT * 
FROM {database}.dbo.tableA 
WHERE fieldA = ?

Here, {database} is substituted with a database name that is determined dynamically, derived from a server scan where users cannot provide input. VeraCode alerts that this implementation poses a potential SQL injection threat. Interestingly, queries without a dynamic database name or those lacking parameters do not raise any flags with VeraCode. I also attempted using connection.setCatalog to circumvent the dynamic name issue, but that was also flagged. I’m perplexed by how VeraCode assesses this as a risk.

Could it be that Veracode considers even non-user influenced identifiers as potentially risky? Maybe it assumes any dynamic injection, regardless of its source, could be vulnerable? Have you tried logging how the database name is sourced to see if extra context might convince Veracode it’s not a threat?

Hey, it’s strange veraCode is flagging that. U might try sending the static names for the databases you’re going to use to veracode as a config, Maybe u can set up a whitelist of sorts? Sometimes these tools just need a bit more context to rule out false positives.