All issues showing as code smells

Continuing our trial of Developer edition. Stack is essentially Visual Studio, Bitbucket & Bamboo server, and SonarQube server/scanner using MSBuild commands.from Bamboo.

The problem I’m running into is that when I introduce random code violations to familiarize myself with the SQ interface, they are ALL being reported only as code smells. This is a problem because we will want to build a more strict quality gateway that takes issue severity into account.

Here are some examples that I copied directly from the “noncompliant code example” snippets in the SQ rules pages and pasted directly into code.:

  1. “Cryptographic keys should be robust” (csharpsquid S4426) which the SQ rule page says is a Vulnerability, Blocker, and tagged with cwe, and owasp.
  2. “OS Commands should not be vulnerable to injection attacks” (CS: S2076) which the SQ rule page says is a Vulnerability, Blocker, and tagged with cwe, and owasp.
  3. “Database queries should not be vulnerable to injection attacks” (CS: S3649) which the SQ rule page says is a Vulnerability, Blocker, and tagged with cwe, and owasp.
  4. “Creating cookies without the “secure” flag is security-sensitive” (csharsquid:S2092) which the SQ rule page says is a Security Hotspot, and tagged with cwe, and owasp.

There are several others. But I can’t get it to report any bugs , vulnerability, or security hotspots. What am I doing wrong?

Hi @DA75,

can you share some screenshots, version of SonarQube installed?
It may help to understand your issue :slightly_smiling_face:

Thanks,
Carine

Hi @DA75

Do you mean that you know in advance that your code has some serious vulnerability or security spot but SQ is not reporting them as so? If that is the case we would really appreciate to get the sample and see why it is not the case.

Thanks

Developer version 8.4.1, using a trial license.

I introduced the following random code issues which all show up as code smells in the SQ project interface.

I did this by going to the sonarqube rule definition pages for each, and copy and pasting the noncompliant code into my code. Most of these are listed as Vulnerabilities or Security issues on the rule definition page. Here is an example of one that after copy and pasting the noncompliant code, resulted as being called “Possible command injection” code smell (its the 1st issue in the top screen shot), even though its tagged as a Vulnerability instead in the rule definition. This is happening for every issue, so I think I must be doing something wrong.

Hi Mathieu, yes I’m trying purposefully to introduce code violations to gain experience with quality profiles and quality gates. The problem is that when using the noncompliant code snippets provided in Sonarqube, I cant get any results back other than “code smells”.
I’m literally copying the noncompliant code for each of these from sonarqube. e.g., http://xxx.xxx.x.xxx:9000/coding_rules?languages=cs&open=roslyn.sonaranalyzer.security.cs%3AS2076&types=VULNERABILITY

Edit: this was the problem: https://docs.sonarqube.org/latest/analysis/external-issues/ “Notes on external .NET issues” section.

I believe I see part of the problem. The code violations were originating from the existing Visual Studio Roslyn analyzer and the SecurityCodeScan analyzer (a nuget package which extends the base ruleset for owasp violations) and being reported through sonarqube.
The wording of the violations reported in sonarqube matched the local Visual Studio analyzer wording for these issues, as shown below. After removing all local analyzers from the project, the issues are no longer reported in SonarQube. I’m not sure why analysis from other analyzers would be shown in the SonarQube results, but this appears to have been the case.

The problem I have now after removing the local analyzer packages, is that none of the noncompliant code violations I inserted into the test project are being reported in SonarQube.

Hi @DA75

By default, 3rd party issues coming from Roslyn analyzers are imported into SonarQube (see https://docs.sonarqube.org/latest/analysis/external-issues/ - Notes on external .NET issues). You need to explicitly disable the import using the scanner parameter sonar.cs.roslyn.ignoreIssues set to true.

How are you scanning your project? Can you give some specific code examples where you expect issues to appear and it doesn’t happen?

The “problem” was exactly what you mention and I eventually found and linked to in a response above. This pass-through feature for other analyzers wasnt apparent to me in the documentation at first until I searched further.
The other issue with no SQ scanner issues showing up resolved itself after a server restart. Unsure why.

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.