The sonar warning tells precisely what it warns about:
"A prepared statement is generated from a nonconstant String"
That doesn't mean that your code is vulnerable to SQL injection attacks. That simply means that it could be. If you're absolutely sure that there is no way for a user to inject a database schema or table name, then simply ignore the warning.