Make sure this debug feature is deactivated before delivering the code in production

kattesang · April 27, 2021, 11:23am

Must-share information (formatted with Markdown):

which versions are you using
SonarQube Enterprise Edition Version 8.4.2 (build 36762))
what are you trying to achieve
Make sure this debug feature is deactivated before delivering the code in production
what have you tried so far to achieve this

I am getting the security hotspot issue as “Make sure this debug feature is deactivated before delivering the code in production” for the ASP.Net Core project in the startup.cs class. Even though the line “app.UseDeveloperExceptionPage()” was included in if (env.IsDevelopment()) block, I am getting this issue. How to fix this issue?

Joe · May 7, 2021, 6:32pm

Hello @kattesang ,

Can you please share a code snippet of the issue you are seeing?

Joe

Pierre-Loup_Tristant · May 17, 2021, 2:14pm

Hi @kattesang,

I seems like you are trying to use the compliant code example you see in the rule description and it’s not working for you. It would realy help us if you could provide a code snippet so that we can fix this potential false positive.

Also, be aware that Security-Hotspots are meant to highlight sensitive pieces of code that needs to be reviewed.
If you think that your code is safe from calling app.UseDeveloperExceptionPage() in production because it’s only activated during development I think you should make it as “safe”.

If you want to know more about Security-Hotspot review workflow, have a look at this page of SonarQube documentation.

StingyJack · June 5, 2021, 8:36pm

Why is sonar complaining about this?

public void Configure(IApplicationBuilder app, IWebHostEnvironment env, IServiceProvider serviceProvider)
{
   var isDevelopmentEnvironment = env.IsDevelopment();
   if (isDevelopmentEnvironment)
   {
        app.UseDeveloperExceptionPage(); //this is the line its complaining about
    }
     ...

Pierre-Loup_Tristant · November 9, 2021, 12:37pm

Hi @StingyJack and sorry for the late reply.

The rule detects when DeveloperExceptionPageExtensions.UseDeveloperExceptionPage and DatabaseErrorPageExtensions.UseDatabaseErrorPage methods are called.

As you can see in the rule description, we also avoid raising issues when these methods are called within a “development only” bloc. The logic to detect such bloc is very basic and it only apply when HostingEnvironmentExtensions.IsDevelopment is called in a if condition as followed:

if (env.IsDevelopment())
{
  app.UseDeveloperExceptionPage(); // Compliant
}

Unfortunately, in the example you shared, IsDevelopment is called outside of the if condition and therefore the rule raises a false-positive.

Here is a ticket that will change the heuristic mentioned above and fix the false positive you experienced.

Regards.

Topic		Replies	Views
Debug feature in production code, false positive S4507 SonarQube Cloud csharp , security	3	1710	May 22, 2020
False alert Security Hotspots Report False-positive / False-negative... sonarqube , scanner , dotnet , security-hotspot	2	959	January 28, 2022
False positive on squid:S4508 (deserializing objects is security-sensitive) Report False-positive / False-negative...	5	1121	February 19, 2019
Security Hotspots Reappearing After Review SonarQube Cloud security-hotspot , sonarqube-cloud	5	525	August 21, 2023
SonarQube Security Hotspots show warnings in the build even after reviewed as Safe SonarQube Server / Community Build sonarqube , scanner	8	443	November 21, 2024

Make sure this debug feature is deactivated before delivering the code in production

Related topics