This is an application with a SQL injection flaw that is not being picked up by Veracode. This version of the application is built using .NET 6, but there is also a .NET Core 3.1 version with the same problem.
The application starts in the .Web project's Program.cs. It calls Console.ReadLine() to read in an untrusted string, and then sends it to the .Application project's Processor.cs, which then sends the string to the .Infrastructure project's Repository.cs. The repository uses EntityFramework to execute a raw SELECT statement on a PostgreSQL database, using string interpolation to pass through the untrusted string. This allows the user to inject whatever SQL they would like.
If you would like to run the application on your local machine, you'll need a PostgreSQL database. You can spin one up easily using Docker's official postgres:14 image. The application's connection string can be found in the .Web project's appsettings.json file. Then simply open the solution in Visual Studio, and start the .Web application.
Below is an example screenshot of running the application, and injecting the string '; INSERT INTO public."table"(column_name) VALUES ('two');--
