Looking for information on security analysis (SAST, vulnerabilities, and hotspots)

Hi everyone,

We’ve recently onboarded several repos into SonarCloud, doing CI scans with Azure DevOps. A good chunk of them are showing 0 security vulnerabilities and 0 hotspots to review. This has caused some concerns with leadership because typically, static analysis tools will generate many findings and then let you prioritize which to fix (Veracode, Checkmarx, Contrast all behave this way, in our experience). So this has raised some questions about whether this feature is working as expected.

  • Is there any Sonar-official statement on their approach to generating SAST findings and the reasoning behind that, maybe with a comparison to other products in the field?

  • Are there scan logs or other things we can check to verify that the security-related rules did in fact get checked at some point during the analysis? If so, where can we find them? If this has to be enabled with additional parameters/arguments to our scan jobs, where can I find the docs for those?

Thanks!

Hey there.

Philosophically, we would prefer to miss some true issues than flood users with false-positives. This is part of our developer-friendly approach – as soon as a tool starts making noise… it tends to be treated as noise.

That being said, we score very well across a number of benchmarks on a number of languages:

  • Java: 93% TPR (on average)
  • C#: 90% TPR (on average)
  • Python: 92% TPR (on average)

What language(s) are you trying to analyze? Have you run analyses on the main branch of the project? Are issues of other types appearing (Code Smells, Bugs)?

1 Like

Heyo, sorry for the delayed response.

We are getting other types of findings on the projects in question. They’re C# and TypeScript. Analyses are happening on the main branch and several short-lived feature branches.

I was able to find out how to get detailed logging to occur during runs (messing with the verbose/debug logging parameters) and I saw the entries for the security-related rule sets, so I was able to confirm they’re running correctly.

Thanks for the info and I don’t disagree with the approach! I’ll pass this information along. Appreciated!

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.