[csharp] sql injection detection not working?

[indy-singh]

We are evaluating GHAS for our app sec pipeline and we can't seem to get it to flag for sql injection.

public void SubscribeTo(int systemKeyId, ThirdPartyType thirdParty, string userReference)
{

#pragma warning disable SYSLIB0021
#pragma warning disable SCS0010
// this is detected
  System.Security.Cryptography.SymmetricAlgorithm serviceProvider = new System.Security.Cryptography.DESCryptoServiceProvider(); 
#pragma warning restore SCS0010
#pragma warning restore SYSLIB0021

#pragma warning disable CS0618 // Type or member is obsolete
// none of these detected
  var adapterA = new SqlCommand("SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + userReference + "' ORDER BY PRICE");
  var adapterB = new SqlCommand("SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + userReference + "' ORDER BY PRICE", null);
  var adapterC = new SqlCommand("SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + userReference + "' ORDER BY PRICE", null, null);
#pragma warning restore CS0618 // Type or member is obsolete

  using (var session = _pgDatabase.OpenSession())
  using (var transaction = session.BeginTransaction(System.Data.IsolationLevel.ReadCommitted))
  {
// this is not detected
    session.CreateSQLQuery(@$"insert into thirdpartymonitor.subscription(user_reference, thirdparty_id, system_id) VALUES ('{userReference}', {thirdParty}, {systemKeyId}) ON CONFLICT DO NOTHING;")
      .ExecuteUpdate();

    transaction.Commit();
  }
}

I would expect the SqlCommand to be detected as per

codeql/csharp/ql/lib/ext/System.Data.SqlClient.model.yml

Line 6 in fe18e0e

- ["System.Data.SqlClient", "SqlCommand", False, "SqlCommand", "(System.String)", "", "Argument[0]", "sql-injection", "manual"]

But I'm not sure if CreateSQLQuery is detected as I don't see a sink for nhibernate.CreateSQLQuery?

I've attached my workflow file too.

codeql.yml

Cheers,
Indy