Debug feature in production code, false positive S4507

I’m using the SonarCloud services and scan my open source project with it. For scanning I use SonarScanner for MSBuild version 4.9.0.17385-net46.

I get the following security hotspot issue:
https://sonarcloud.io/project/issues?id=WhereToFly&open=AXIRqllZg2Yetd9XHruV&resolved=false&types=SECURITY_HOTSPOT

In the code, ASP.NET Core’s UseDeveloperExceptionPage() is called, which is an issue, unless it is wrapped by an if (env.IsDevelopment()), which I did. The description of S4507 also says this. So I think this is a false-positive.

Thanks!
Michael

Hello @vividos

Thanks for reporting this issue.

It’s a known problem, you can look at this ticket created some weeks ago to fix the bug.

Eric

Thanks for the link to the GitHub issue, I only did a search here in the forum.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.