My project uses NPoco and I wanted to detect sql injection issues when passing tainted strings to NPoco methods. Limiting things to just the Fetch method, I have added a sink configuration:

- Type: NPoco.Database TaintTypes: - SCS0002 Methods: - Name: Fetch Arguments: - sql

This results is many false positives as Fetch method receives two types of arguments (both named sql), a string and NPoco.Sql. Currently there is no way to specify argument count or type for SinkMethod. Next I've tried to specify NPoco.Sql as sanitizer:

- Type: NPoco.Sql TaintTypes: - SCS0002 Methods: - Name: .ctor CleansInstance: true

This does not work as isConstructorSanitizing is always set to false in code. I'm guessing the only way to support NPoco is to extend SCS with additional support for some of these:

• add support for specifying argument count for sink methods
• add support for specifying argument type for sink methods
• add support for specifying constructor sanitization for Sanitizers

Are there currently any plans for extending configuration capabilities of SCS?