C#: Azure Function HttpTrigger SQL Injection is not being detected

[DavidJFowler]

Description of the issue

CodeQL scan is not picking up SQL Injection vulnerability in the following Azure Function trigger:

using System.Net;
using Microsoft.Azure.Functions.Worker;
using Microsoft.Azure.Functions.Worker.Http;
using Microsoft.Data.Sqlite;
using Microsoft.Extensions.Logging;
using Dapper;

namespace DavidF.Demo.GithubActions.Functions;

public class HelloWorldFunction
{
    private readonly SqliteConnection _sqliteConnection;
    private readonly ILogger _logger;

    public HelloWorldFunction(ILoggerFactory loggerFactory, SqliteConnection sqliteConnection)
    {
        _sqliteConnection = sqliteConnection;
        _logger = loggerFactory.CreateLogger<HelloWorldFunction>();
    }

    [Function("HelloWorldFunction")]
    public async Task<HttpResponseData> Run([HttpTrigger(AuthorizationLevel.Function, "get", "post")] HttpRequestData req)
    {
        _logger.LogInformation("C# HTTP trigger function processed a request.");

        var sql = $"SELECT * FROM USER WHERE Name = '{req.Query["name"]}'";

        _sqliteConnection.Open();

        var res = await _sqliteConnection.QueryAsync<UserDto>(sql);

        var response = req.CreateResponse(HttpStatusCode.OK);

        await response.WriteAsJsonAsync(res);

        return response;
    }

    public record UserDto(long Id, string Name);
}

Tested in GitHub actions and also locally using CLI:

c:\codeql\codeql.exe database analyze "codeql-db" --format=sarif-latest --output="codeql-output" --threads=0 '..\codeql\csharp\ql\src\Security Features\cwe-089\SqlInjection.ql'