I have a public project I set up on Github and a corresponding project I set up on SonarCloud, to evaluate both Github and SonarCloud. This is a .net + angular project. I intentionally added a .net vulnerability to my project. SonarCloud successfully found it, and it was also reported on the Github security tab. I then resolved the problem. I didn’t use a PR to fix the vulnerability, I had a direct commit to my main branch. SonarCloud discovered that I fixed the problem, and the vulnerability shows as closed(fixed) on SonarCloud. However, in Github, it still shows as open. I did follow the instructions for setting up a .net project per the instructions at the very bottom of this page: GitHub - SonarSource/sonarcloud-github-action: Integrate SonarCloud code analysis to GitHub Actions, where it says
- You want to analyze a .NET solution: Follow our interactive tutorial for GitHub Actions after importing your project directly into SonarCloud
Am I doing something wrong, or is this expected behavior? Thanks!
I think you’re referring to GitHub Code Scannig Alerts, is that right?
We have some documentation specifically about issue states… but quite frankly I’m not able to glean from the documentation what happens when the code is actually fixed.
I’ll flag this for attention from some experts.
I am taking a look into this issue, can I check firstly if you are using the autoscan process for your project or if you are using the github action? If you are using the github action could you please share with my your github build.yml as this might help in identifying where the issue is coming from.
Colin - Yes, that’s correct, I’m referring to the GitHub Code Scanning Alerts. The line in the doc you linked that specifically confuses me is Resolved (fixed) → Open. I know there’s a fixed state because I’ve also been experimenting with CodeQL, and it transitions issues to that state when they’re resolved.
I’m using a GitHub Action. Feel free to poke around in my project. The github project is at GitHub - lukegeor/insecure-project-3, and the sonarcloud project is at SonarCloud. The main branch had a vulnerability in WeatherForecastController.cs which you can see at SonarCloud. Sonar shows the issue as Closed (fixed). Github security (which I don’t think you can see without being a project collaborator) shows the issue as open.
Thank you @lukegeor, we have been able to recreate the issue you are describing. We are currently investigating the reasons for this, I will update you with our findings soon.
Thank you! If you need collaborator access to my github project please let me know and I’ll add you so you can see the security alerts. As I said, this is just an evaluation project so there’s nothing confidential there.
I wanted to keep you updated, we have been able to recreate this issue with some other developers on associated projects and we are seeing some differing behaviors. We are investing solutions however it may take some time to come to a full resolution.
Thank you for bringing the issue to our attention
Let me know if there’s anything I can do to help.
@shane.findley I was just playing some more with my GitHub repo. I CURRENTLY have automatic scanning turned off for my project. However, it is possible that at one point when I was initially setting everything up, that I had it enabled and then switched over to using GitHub actions. The reason I bring this up is because I have a second PR I created, with new vulnerabilities, and there were no PR comments automatically generated except for the summary comment. Is it possible that if I had automatic scanning enabled when I introduced the vulnerability, but then switched over to GitHub actions, and then fixed the vulnerability, that’s why the comment would show inline with the PR and not be resolved when the vulnerability is fixed?