Make sure this debug feature is deactivated before delivering the code in production

Must-share information (formatted with Markdown):

  • which versions are you using
    SonarQube Enterprise Edition Version 8.4.2 (build 36762))

  • what are you trying to achieve
    Make sure this debug feature is deactivated before delivering the code in production

  • what have you tried so far to achieve this

I am getting the security hotspot issue as “Make sure this debug feature is deactivated before delivering the code in production” for the ASP.Net Core project in the startup.cs class. Even though the line “app.UseDeveloperExceptionPage()” was included in if (env.IsDevelopment()) block, I am getting this issue. How to fix this issue?

1 Like

Hello @kattesang ,

Can you please share a code snippet of the issue you are seeing?


Hi @kattesang,

I seems like you are trying to use the compliant code example you see in the rule description and it’s not working for you. It would realy help us if you could provide a code snippet so that we can fix this potential false positive.

Also, be aware that Security-Hotspots are meant to highlight sensitive pieces of code that needs to be reviewed.
If you think that your code is safe from calling app.UseDeveloperExceptionPage() in production because it’s only activated during development I think you should make it as “safe”.

If you want to know more about Security-Hotspot review workflow, have a look at this page of SonarQube documentation.

Why is sonar complaining about this?

public void Configure(IApplicationBuilder app, IWebHostEnvironment env, IServiceProvider serviceProvider)
   var isDevelopmentEnvironment = env.IsDevelopment();
   if (isDevelopmentEnvironment)
        app.UseDeveloperExceptionPage(); //this is the line its complaining about

Hi @StingyJack and sorry for the late reply.

The rule detects when DeveloperExceptionPageExtensions.UseDeveloperExceptionPage and DatabaseErrorPageExtensions.UseDatabaseErrorPage methods are called.

As you can see in the rule description, we also avoid raising issues when these methods are called within a “development only” bloc. The logic to detect such bloc is very basic and it only apply when HostingEnvironmentExtensions.IsDevelopment is called in a if condition as followed:

if (env.IsDevelopment())
  app.UseDeveloperExceptionPage(); // Compliant

Unfortunately, in the example you shared, IsDevelopment is called outside of the if condition and therefore the rule raises a false-positive.

Here is a ticket that will change the heuristic mentioned above and fix the false positive you experienced.


1 Like