Azure Devops no vulnerability or security hotspots in analysis

Rey_Suela · February 12, 2021, 3:18am

Afternoon,

Details:
Using Azure Devops.
Scanner: SonarScanner extension
Languages: csharp
Note: I am using a separate branch for implementing the sonarcloud steps, the master branch has not yet been scanned or analyzed. (my branch name is branch-sonarcloud, it is a categorized as long living branch)

Issue:

Most of my dotnet core projects are scanning okay, i can get the coverage and unit tests data in the project, however, All of my projects does not have any data in the vulnerability or security hotspots sections. I’m just wondering if I have missed something? How to I enable this?

from: analyze logs
2021-02-12T03:07:12.1275596Z INFO: Sensor CSharpSecuritySensor [security]
2021-02-12T03:07:12.1276197Z INFO: Reading type hierarchy from: D:\a\1.sonarqube\out\ucfg_cs2
2021-02-12T03:07:12.4286767Z INFO: Read 1248 type definitions
2021-02-12T03:07:12.4884331Z INFO: Reading UCFGs from: D:\a\1.sonarqube\out\ucfg_cs2
2021-02-12T03:07:13.8192536Z INFO: No UCFGs have been included for analysis.
2021-02-12T03:07:13.8544688Z INFO: Sensor CSharpSecuritySensor [security] (done) | time=1780ms

I’ve checked the docs and it doesn’t say anything about extra steps for configuring the vuln and hotspots feature.

Thank you.

janos · February 15, 2021, 4:15pm

Welcome to the community!

Indeed, that’s because no extra steps are needed!

The default quality profile called Sonar Way uses a set of rules that believe make the most sense, catching the most valuable issues, with minimal false positives.

Are you using the default quality profile, or a customized one?

Another reason to not see relevant issues can be if the correct files are not getting analyzed. Take a look around the Code tab of your project on SonarCloud, if your relevant code files are there, with syntax highlighting, then they should be getting analyzed, otherwise you may need to adjust your configuration.

If everything checks out, and then it would be great if you could share a piece of code where you expect some vulnerability / hotspot to be raised, so we could confirm if we have a rule for that, and then why it’s not raising an issue.

Rey_Suela · February 26, 2021, 10:07am

Thanks Janos, I played around with the code and added stuffs that might trigger the vulnerabilities, which it did.

Topic		Replies	Views
SonarCloud is not detecting vulnerabilities of the Project Report False-positive / False-negative... dotnet , sonarqube-cloud	18	1523	January 9, 2023
Value of parameter ‘types’ (SECURITY_HOTSPOT) must be one of: [CODE_SMELL, BUG, VULNERABILITY] SonarQube Cloud sonarqube-cloud	1	496	March 29, 2022
Security Hotspot decoration in Azure DevOps pull requests SonarQube Cloud azuredevops-services , pull-request , security-hotspot , sonarqube-cloud	11	1755	November 10, 2025
No vulnerabilties in SonarCloud SonarQube Cloud security	5	640	April 29, 2020
Rule violations not reported to SonarCloud SonarQube Cloud csharp , azuredevops-services , dotnet	6	1042	April 11, 2019

Azure Devops no vulnerability or security hotspots in analysis

Related topics