Summary
DbSymbolReader.GetSymbolsAtLine still binds SQLite parameters through AddWithValue. Most of the codebase appears to have moved toward explicit command/parameter policy helpers, so this remaining use should be audited and replaced for consistency and predictable SQLite type binding.
Evidence
dotnet ./src/CodeIndex/bin/Debug/net8.0/cdidx.dll audit dotnet-risk-patterns --path src/ --json=array
reported sqlite-addwithvalue in:
src/CodeIndex/Database/DbSymbolReader.cs- method:
GetSymbolsAtLine
Why it matters
AddWithValue can infer parameter types in surprising ways. Even when current values are simple strings/integers, keeping one-off binding style makes future query changes easier to get wrong.
Acceptance criteria
- Replace
AddWithValue in symbol lookup code with the repository's explicit SQLite parameter helpers or typed parameters.
- Add/adjust coverage for
GetSymbolsAtLine if needed.
- The dotnet risk audit no longer reports this production
sqlite-addwithvalue hit.
Summary
DbSymbolReader.GetSymbolsAtLinestill binds SQLite parameters throughAddWithValue. Most of the codebase appears to have moved toward explicit command/parameter policy helpers, so this remaining use should be audited and replaced for consistency and predictable SQLite type binding.Evidence
dotnet ./src/CodeIndex/bin/Debug/net8.0/cdidx.dll audit dotnet-risk-patterns --path src/ --json=arrayreported
sqlite-addwithvaluein:src/CodeIndex/Database/DbSymbolReader.csGetSymbolsAtLineWhy it matters
AddWithValuecan infer parameter types in surprising ways. Even when current values are simple strings/integers, keeping one-off binding style makes future query changes easier to get wrong.Acceptance criteria
AddWithValuein symbol lookup code with the repository's explicit SQLite parameter helpers or typed parameters.GetSymbolsAtLineif needed.sqlite-addwithvaluehit.