Version: SonarQube 8.9.5, Azure DevOps Server 2020.1.1 using SonarQube build tasks
Error: Once an issue is known to SonarQube, it will not reclassify the issue during subsequent scans of the same code branch.
Steps to reproduce:
- Analyze a .NET project including external Roslyn rules with default settings. Those rules will be classified as a Code Smell by default.
- Add classification configuration, either in the Administration - External Analyzers section in SonarQube, or via analysis configuration such as
sonar.cs.roslyn.vulnerabilityCategories. For reference: Importing Third-Party Issues | SonarQube Docs
- Analyze the same code branch again. The issues will remain classified as Code Smell. Note that this may also affect the issue severity; I have not tested this specifically.
- Analyze a different code branch that has not been analyzed in SonarQube before. The issues will be classified correctly there.
When a SonarQube-internal rule is reclassified, this flows through to the projects. I would expect the same for external rules.
- See How to find rule category for external .NET analyzer (Microsoft.CodeAnalysis.NetAnalyzers)
- Manually reclassify the existing issues
Code that’s responsible for classifying external issues and rules: Import third party Roslyn issues (fix #1825) (#1850) · SonarSource/sonar-dotnet@c1ad3b2 · GitHub