How can I set my custom rules to vulnerabilities?

Must-share information (formatted with Markdown):

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)

  • what are you trying to achieve

  • what have you tried so far to achieve this

  • my environment settings…
    sonarqube 7.9.1
    sonarscanner 4.6.2
    C# language

Good day,

I’d like to set my custom rules from ‘Code Smells’ to ‘Vulnerabilities’.
I think that the default option about custom rule is ‘Code Smells’

I’ve been testing my custom rules by using Visual studio 2017 Analyzer with Code Fix(.NET Standard) project.

I can set ‘DiagnosticSeverity’ options to Info/Warning/Error in DiagnosticCodes class.
but I couldn’t find the way to set my rules to ‘Vulnerabilities’.

I’m going to try to keep going to find the way.
I don’t suppose that if you know the way to solve this problem, Please let me know.

Best regards,
Steve Kim.

hello @steve,

There’s a way to do what you want but that’s not in your custom rules code.
When importing the issues of your custom rules, you can map some rules with the 3 available types (Bug, Vulnerability and Code Smell) based on labels that would exist in your rule Category.
The 3 SonarQube properties that manage this mapping are sonar.cs.roslyn.bugCategories, sonar.cs.roslyn.vulnerabilityCategories and sonar.cs.roslyn.codeSmellCategories

You may want to read and to understand exactly how those 3 properties work.

These settings can be configured in the Administration --> General Settings --> External Analyzers menu of SonarQube.


I really appreciate for your reply.

I’ve tried several times as your reply, but I couldn’t find the solution.
I can’t understand ‘rule Category’ meaning what you said.

I tried as below,

First, I added the list of relating about my rule keyword on ‘Rule categories associated with Vulnerabilities’ as you can see.

Second, I checked whether if my rule is changed to vulnerabilities. (but It isn’t changed)
Third, I restarted my sonarqube server, then I checked again my rules. (but It isn’t changed)
Fourth, I removed my custom rule plugin on my sonarqube plugin. restart and I added again my custom rule plugin. (but It isn’t changed)

All of my rules are still ‘Code Smells’.
what did I miss?

Thank you.


It does not work because you did not enter the right data in the fields. You umust not provide the rule id, or source files or whatever you tried. I am not expert in Roslyn but when you create a Roslyn rule you can define the rule Category (see 2nd screenshort and the sample code defining a custom rule Category at

Once the rule Category is defined, this is that same Category string that you should enter in the SonarQube UI.

Let me know if that helps.

1 Like

Thank you Olivier, your reply is so useful for me.
Although I read all of the article what you said, It still doesn’t work.

I checked my roslyn custom rule’s category.
it is like as below…

and I set my sonar web UI setting as below…

and I restarted my sonarqube web server, I set again about my Qualtify Profiles, I rebuild(sonar-scanner) my solutions again.
but All of the rules are still ‘Code Smell’ type, and the results of the scanning are still checked by ‘Code Smell’

So, I’ve tried again and again by using sample source of "
Analyzer with Code Fix (.NET Standard)"

This analyzer include 1 rule which have a category name is ‘Naming’.

and I repeated all the process about setting type to vulnerabilities.
However, I finally failed to set the rule’s type from ‘Code Smell’ to ‘Vulnerabilities’.

What I really want to know is that the timing when the rule is changed from ‘Code Smell’ to ‘Vulnerabilities’.
If you know some references where I can get some information about these cases, (like sample roslyn rules or something) Please let me know where can I find some hint.

Hi, I’ve found what is the difference about my ruleset when I adjust vulnerabilities option to my custom rules.

As I said, I just wanted to be applied my custom rules as vulnerabilities type when I input command about Sonarscanner on Vsdevcmd.

Thanks to your answer, I added my custom rule’s category name on “Rule categories associated with Vulnerabilities” option in General Settings(External Analyzer).

However, you know, I failed to change my custom rules to Vulnerability type. My custom rules are still ‘Code smells’ type.
Today, I noticed that my custom rules which I added rule category name are changed.

As you can see the picture I attached, my custom rule’s description is changed. The comment in the picture was added(sonar.cs.roslyn.vulnerabilityCategories).

What I want to say is that, Is there another way to solve this issue?