Make sure that this http request is sent safely. (external_roslyn:S4825)

I use HttpClient to call my back-end. After last update i got an error:
Code Smell: Make sure that this http request is sent safely. ([external_roslyn:S4825])

I’m sure my connection is secure. how do I fix this message?

Hi @onatsko,

Thank you for your feedback.

Am I right in assuming that you see this issue on a pull request?

We have a bug in our current C# and VB .Net analysis. We are working on it and I will come back to you as soon as it is fixed.

In the mean time you can unblock your pull requests by ignoring external roslyn error in your project like this:
Go to your project’s Administration tab > General Settings > External analyzers > C# Ignore issues from external Roslyn analyzers > enable the option. The security hotspot issues will disappear the next time your pull requests are analyzed.

Just to give some context: The issue you mention is a Security Hotspot. Those issues are meant to help security auditors during code reviews. They are created on code which is security-sensitive, i.e. code where vulnerabilities generally occur, but which doesn’t necessarily contain a vulnerability. Security Hotspot issues should never impact the quality gate, nor should they be visible on Pull Requests.

We apologize for the inconvenience.

Best regards,

1 Like

Thank you, Nicolas!
I try enable the option

yes, you are right

Hi @onatsko,

The fix is now deployed on SonarCloud. You can enable back the external roslyn issues.
Thank you again for your patience.

Best regards,

1 Like

Thank U!

Hi @Nicolas_Harraudeau and @onatsko,

I’m also encountering this problem.

What is the proper way to implement Httpclient since every sample in the internet are all the same?

Hi @AxL28AxL,

The issue raised by this rule does not indicate that you are doing something wrong. Security Hotspot rules, such as this one, guide developers to security sensitive places in the code. The goal is to help code review when an action can have a big impact on security.

You can take a look at the rules’ description to see what needs to be checked. If everything is good you can change the issue status to “Clear”. If on the other hand there is a vulnerability you can set it to “Detect”, this last action will change its type to Vulnerability.

Note that we will soon replace this Security Hotspot rule with S5332. This new rule will focus only on non-HTTPS requests. Rule S5144 will take care of detecting if there is a server-side request.

Let me know if you have any other question.