Azure Devops no vulnerability or security hotspots in analysis


Using Azure Devops.
Scanner: SonarScanner extension
Languages: csharp
Note: I am using a separate branch for implementing the sonarcloud steps, the master branch has not yet been scanned or analyzed. (my branch name is branch-sonarcloud, it is a categorized as long living branch)


Most of my dotnet core projects are scanning okay, i can get the coverage and unit tests data in the project, however, All of my projects does not have any data in the vulnerability or security hotspots sections. I’m just wondering if I have missed something? How to I enable this?

from: analyze logs
2021-02-12T03:07:12.1275596Z INFO: Sensor CSharpSecuritySensor [security]
2021-02-12T03:07:12.1276197Z INFO: Reading type hierarchy from: D:\a\1.sonarqube\out\ucfg_cs2
2021-02-12T03:07:12.4286767Z INFO: Read 1248 type definitions
2021-02-12T03:07:12.4884331Z INFO: Reading UCFGs from: D:\a\1.sonarqube\out\ucfg_cs2
2021-02-12T03:07:13.8192536Z INFO: No UCFGs have been included for analysis.
2021-02-12T03:07:13.8544688Z INFO: Sensor CSharpSecuritySensor [security] (done) | time=1780ms

I’ve checked the docs and it doesn’t say anything about extra steps for configuring the vuln and hotspots feature.

Thank you.

Welcome to the community!

Indeed, that’s because no extra steps are needed!

The default quality profile called Sonar Way uses a set of rules that believe make the most sense, catching the most valuable issues, with minimal false positives.

Are you using the default quality profile, or a customized one?

Another reason to not see relevant issues can be if the correct files are not getting analyzed. Take a look around the Code tab of your project on SonarCloud, if your relevant code files are there, with syntax highlighting, then they should be getting analyzed, otherwise you may need to adjust your configuration.

If everything checks out, and then it would be great if you could share a piece of code where you expect some vulnerability / hotspot to be raised, so we could confirm if we have a rule for that, and then why it’s not raising an issue.

Thanks Janos, I played around with the code and added stuffs that might trigger the vulnerabilities, which it did.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.