About the Report a False-positive / False-negative category

If the latest version of a SonarSource product is reporting what you believe to be a False-Positive (or not reporting what you believe is a False-Negative) then report it and help us improve our products! [Resources: How to Report a False-positive / False-negative]

Hi, We got issues raised by sonarqube on (document).ready function.

  1. Function should not be too complex
  2. Function should not have too many lines

I though that it should not count the (document).ready(function(){}) and count on the functions inside it instead, just like it does in IIFE. Or there should be a way to in JavaScript rule to optionally ignore counts on (document).ready(function(){}) and count on the functions inside it instead

Can we mark it as a false-positive?

In C#, the rule about
“Instance method should not write to static fields . Updating a Static Field from a non-static method or static class is not thread safe when we have multiple class instances and/or multiple threads in play , it may lead to unexpected results.”

if the field is annotated with [ThreadStatic], is it still a problem?
Can we mark it as a false-positive?

we got one with vulnerabity XXE, on TransformerFactory.newInstance() and DocumentBuilderFactory.newInstance();
We put just after this two code’s ligne “setFeature” as they say.
But sonar continue to say, there are a vulnerabilty

How can I make sure that sonar no longer displays these vulnerabilities?