I’m a bit in the dark on how I can help SonarCloud understanding that we are actually validating/whitelisting user input so we can rid of some blocker issues and get a nice pretty rating on our project.
As an example, we have a C# application with some MVC controllers that delete resources from a folder managed by the application. We do a lot of validation on the input and make quite some effort on generating a path that is a valid and safe path.
Here we get a ‘Refactor this code to not construct the path from tainted, user-controlled data.’
Another example are some actions that have a redirectUrl as parameter. For example in a Login action.
SonarCloud gives me a nice ‘Refactor this code to not perform redirects based on tainted, user-controlled data.’ issue, but all code is doing checks to make sure the input we receive is safe.
How can I let SonarCloud know about this? Do any of you guys have some suggestions maybe?
Marking these issues as a false positive feels not right.