C# Security Issue Not Being Caught

I have a .NET 5 application that is being scanned for review in SonarCloud. I have the project setup correctly as far as I can see and scans are making it into SonarCloud. BUT… it doesn’t appear to be registering any code smells or security issues. It just gives it an A grade and shows zero issues.

I intentionally added a hard coded password to the Program → Main() method to throw a security issue. But it looks like it ignored it. Below is a screenshot showing that SonarCloud sees the correct code, that it was recently added, but it doesn’t show any problems with it.

image

Any thoughts on what I might be missing on successfully scanning this C# code?

EDIT:

So I initially deleted this post thinking I was re-asking a question I had asked before. SonarCloud not catching intentional hard-coded password

BUT… I have added the <SonarQubeTestProject>false</SonarQubeTestProject> to each of the projects and removed references to any project with “Test” in the name, but I still cannot get it to scan.

So tried installing the SonarQube locally (docker) and tried scanning locally and not up in Bitbucket Pipelines. Without any changes to the repo everything works as expected.

Local SonarQube


Bitbucket

Hey Trey! I can at least tell you why the hard-coded password is not detected here. It is because of SONARJAVA-3252. To reduce false-positives no issue is raised if the string literal contains the wordlist item. So string password = "this_is_hardcoded"; should be detected.

Thank you for that response. I am curious why the local SonarQube instance is finding different code smells and issues compared to SonarCloud? As of now, I have yet to get SonarCloud to show a single issue with anything that I submit.

I added from your link a variable that the scan should have had problems with it. But still nothing.


Both systems use the same analyzers, so it should not be. Can you include the scan logs? Maybe they contain a hint.

So I was able to get it working, and it was strange. I looked in the scan logs and came across this warning message:
image

I checked and sure enough the main branch was set to another branch and no master branch had been pushed to Bitbucket for this repo.

As soon as I pushed a master branch up and re-ran the scan, all of a sudden all the security issues and code smells appeared (over 40 of them.)

Not sure what’s going on, but good to know that a repo has to have a master branch to successfully scan.

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.