Issues reported by external analyzers are not reclassified when the rule configuration changes

Version: SonarQube 8.9.5, Azure DevOps Server 2020.1.1 using SonarQube build tasks

Error: Once an issue is known to SonarQube, it will not reclassify the issue during subsequent scans of the same code branch.

Steps to reproduce:

  1. Analyze a .NET project including external Roslyn rules with default settings. Those rules will be classified as a Code Smell by default.
  2. Add classification configuration, either in the Administration - External Analyzers section in SonarQube, or via analysis configuration such as sonar.cs.roslyn.bugCategories or sonar.cs.roslyn.vulnerabilityCategories. For reference: Importing Third-Party Issues | SonarQube Docs
  3. Analyze the same code branch again. The issues will remain classified as Code Smell. Note that this may also affect the issue severity; I have not tested this specifically.
  4. Analyze a different code branch that has not been analyzed in SonarQube before. The issues will be classified correctly there.

When a SonarQube-internal rule is reclassified, this flows through to the projects. I would expect the same for external rules.

Potential workarounds:

Code that’s responsible for classifying external issues and rules: Import third party Roslyn issues (fix #1825) (#1850) · SonarSource/sonar-dotnet@c1ad3b2 · GitHub

Hey @cba

This is known and expected behavior, so I’ve moved your post to Suggest New Features!