Hello,
We are using SonaCloud on C++ source code and we would like to configure it so that this security hotspot in particular blocks PRs that contain it:
cpp:S6069 - “sprintf” should not be used
How can I configure SonarCloud or Quality Gate of the PRs to do that ?
I do not want to manage this as a security hotspot in fact but as a code smell. Is it possible to transform the type of this warning for example ?
Thanks and regards,
Lauriane
Hi Lauriane,
What we do for rules that we deem to be blockers is that we create a custom Quality Gate, based on the Sonar Way, and use that as our default. In that custom Quality Gate we ensure that any new Blocker and Critical issues will fail the check and we update the rules to such levels.
So per say you can’t say that a specific rule is blocking, but you can set the level for each rule, and have the checks fail if any rule reach the level.
Sonar does allow rules to be ignored by the developers, so you might want to have an internal audit process to have an other person review the ones marked as Ignore, False Positive, or when the level is lowered. AFAIK there is no mechanism in Sonar to prevent abuse from bad developers that just want to ignore sonar and get their PR out, so an internal review can help.
Hello Stephane,
But my problems is that the rule I am talking about is of type “Security Hotspot” and not bug or code smell. This type of rule seems not to block PRs if I put in Quality gate a rule that say 0 critical issue. It seems that “Security Hotspot” is not considered as issue by Sonar. Do you have any tips in my case toconfigure Sonarcloud ?
Best regards,
Lauriane