About the Report False-positive / False-negative... category

Should a rule be adjusted for False-Positives, False-Negatives, or just a better description? Should analysis scope be broadened for a new framework, or language version? Let us know! [Resources: How to Report a False-positive / False-negative]

Hi, We got issues raised by sonarqube on (document).ready function.

  1. Function should not be too complex
  2. Function should not have too many lines

I though that it should not count the (document).ready(function(){}) and count on the functions inside it instead, just like it does in IIFE. Or there should be a way to in JavaScript rule to optionally ignore counts on (document).ready(function(){}) and count on the functions inside it instead

Can we mark it as a false-positive?

In C#, the rule about
“Instance method should not write to static fields . Updating a Static Field from a non-static method or static class is not thread safe when we have multiple class instances and/or multiple threads in play , it may lead to unexpected results.”

if the field is annotated with [ThreadStatic], is it still a problem?
Can we mark it as a false-positive?

we got one with vulnerabity XXE, on TransformerFactory.newInstance() and DocumentBuilderFactory.newInstance();
We put just after this two code’s ligne “setFeature” as they say.
But sonar continue to say, there are a vulnerabilty

How can I make sure that sonar no longer displays these vulnerabilities?