I have a .NET 5 application that is being scanned for review in SonarCloud. I have the project setup correctly as far as I can see and scans are making it into SonarCloud. BUT… it doesn’t appear to be registering any code smells or security issues. It just gives it an A grade and shows zero issues.
I intentionally added a hard coded password to the Program → Main() method to throw a security issue. But it looks like it ignored it. Below is a screenshot showing that SonarCloud sees the correct code, that it was recently added, but it doesn’t show any problems with it.
Any thoughts on what I might be missing on successfully scanning this C# code?
BUT… I have added the <SonarQubeTestProject>false</SonarQubeTestProject> to each of the projects and removed references to any project with “Test” in the name, but I still cannot get it to scan.
So tried installing the SonarQube locally (docker) and tried scanning locally and not up in Bitbucket Pipelines. Without any changes to the repo everything works as expected.
Hey Trey! I can at least tell you why the hard-coded password is not detected here. It is because of SONARJAVA-3252. To reduce false-positives no issue is raised if the string literal contains the wordlist item. So string password = "this_is_hardcoded"; should be detected.
Thank you for that response. I am curious why the local SonarQube instance is finding different code smells and issues compared to SonarCloud? As of now, I have yet to get SonarCloud to show a single issue with anything that I submit.
I added from your link a variable that the scan should have had problems with it. But still nothing.