We use Azure DevOps and SonarCloud to build a .NET project.
SonarCloud reported a Security Hotspot, and we assessed it and marked it as “Safe” in the SonarCloud UI.
However, the build log continues to show a warning for this issue (we did not change any code).
What is the correct way to eliminate this warning, once the Security Hotspot has been assessed?
We tried to use “#pragma warning disable/restore” but this seems to make no difference for Security Hotspots.
We ended up concluding the only option we had was to use the SuppressMessageAttribute.
What is the recommended approach for this kind of scenario, where the flagged code will not be changed?
I already read these without finding any clear guidance:
The MSbuild scanner does not get the project settings from sonar cloud and use those for the scan, so it’s going to report errors for the wrong rules if you got different rules configured than “sonar way”, it’s going to not honor your ignores/FP for security exceptions, etc, etc.
There’s a ticket on this board somewhere for fixing that Ms build scanner and project integration, if you go through my comment history you probably will find it. Or search for it