Fixing C# security issues

We’ve been working to mitigate security issues identified by SonarQube Cloud in our code. It’s been a frustrating process to be honest. It seems like the issues only show up in the trunk branch (main) and so to get any feedback on if we have resolved the issue we have to merge to trunk.

For context, we use GitHub and pull requests and have those configured in SonarQube. Pull requests show up in the project navigation as does the main branch as our only long-running branch.

The rule in question is roslyn.sonaranalyzer.security.cs:S6680. This rule does not show up using the extension locally and does not show up in the pull request’s analysis.

Are we doing something wrong? How should we be getting feedback on if our fix has satisfied the rule?

Hey @Tyson_Stewart

We fixed this feature in SonarQube Server (probably my favorite feature in a long time) to show what issues in a PR have been fixed. This is especially useful for rules that won’t show up in SonarQube for IDE (all the rules prefixed with roslyn.sonaranalyzer.security.cs are included here).

image1446×688 88.8 KB

This feature hasn’t made its way to SonarQube Cloud yet. You can vote for it here.

Thanks, @Colin. Really frustrating that this is the way it currently works. I did vote on the issue and I appreciate you sharing the link with me!