Debug feature in production code, false positive S4507

I’m using the SonarCloud services and scan my open source project with it. For scanning I use SonarScanner for MSBuild version

I get the following security hotspot issue:

In the code, ASP.NET Core’s UseDeveloperExceptionPage() is called, which is an issue, unless it is wrapped by an if (env.IsDevelopment()), which I did. The description of S4507 also says this. So I think this is a false-positive.


Hello @vividos

Thanks for reporting this issue.

It’s a known problem, you can look at this ticket created some weeks ago to fix the bug.


Thanks for the link to the GitHub issue, I only did a search here in the forum.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.