Simple enough:
using (IDbCommand cmd = conn.createCommand())
{
List<string> parameterNames = new List<string>();
foreach (var pubId in pubIds)
{
string parameterName = "@p" + parameterNames.Count);
parameterNames.Add(parameterName);
var parameter = cmd.CreateParameter();
parameter.ParameterName = parameterName;
parameter.Value = pubId;
cmd.Parameters.Add(parameter);
}
cmd.CommandType = CommandType.Text;
cmd.CommandText = string.Format(Query, string.Join(", ", parameterNames));
NB: Your scanner may still flag this code for review, depending on how clever it is. But since you're only inserting parameter names into the query, and passing all data values as parameters, the code is not obviously vulnerable.
(If you're using dynamic SQL incorrectly, the code could still be vulnerable; but without seeing the full query, there's no way to know for sure.)