Conditional NULL check in prepared statement Sonar error

I'm trying to write a prepared statement in Java to conditionally filter for rows that contain or not a certain field. However, Sonar gives me a linter error: This use of java/sql/Connection.prepareStatement(Ljava/lang/String;)Ljava/sql/PreparedStatement; can be vulnerable to SQL injection (with JDBC). The query looks like this:

String query = "SELECT * from my_table t " +
    "WHERE t.connection_id IS " + (connected ? "NOT " : "") + "NULL " +
    (search.isEmpty() ? "" : "AND (t.source LIKE ?)");
PreparedStatement statement = connection.prepareStatement(query);

What's interesting is that I didn't get the error when I only had the search in place - so I expected to have the error for either both the search and the filter, or for neither of them.

I have tried also to change the second line to:

"WHERE " + (connected ? "t.connection_id IS NOT NULL " : "t.connection_id IS NULL ") +

but no change. Am I missing something? Is there something I can do to fix the error, or should I just ignore it?

Your query (as shown) is correct and is not actually vulnerable to SQL injection. That said, there are difficulties in writing a static code analyzer. It sees that you are building a SQL query and concatenating based on input which is THE classic marker for a SQL injection vulnerability.

This is one of those situations where it's probably easier just to refactor your code than to try to fix the tool. Tools like Sonar really are great and they find a lot of good stuff, but sometimes you get a false positive. I would NOT just ignore it ... you don't want to get in the habit of ignoring warnings about something like SQL Injection.