Hi
There is a tool, security code scan, which has some good rules for .NET. Have you considered to option to adapt those rules into sonarqube?
Hello,
We already looked at Security Code Scan and I believe we cover well what they cover. All the rules related to injection vulnerabilities (Command, SQL, …) are implemented at SonarSource with a taint analyzer so you should expect better results with our injection rules than what is provided by Security Code Scan (if you have the Developer Edition or if you are using SonarCloud).
Is there any specific rules that you need and that is not provided by us?
Can you provide the list of these missing rules and a little bit of reasoning to help me understand why you need them?
Thanks
Alex
1 Like
Hi
I dont know, i havent compared one by one, but SCS has 39 rules and the sonar plugin (if i am looking at the right one) has 29 vulnerability rules
Hi Alex
Have you had any chance to review this?
Thanks
Hello,
Comparing one by one and extracting what is missing and why this is important to you was what I was looking for.
Comparing the 29 vs 39 is not helping and by the way if you compare just number of rules, you should count also the Security Hotspots (+18), so it’s 47 vs 39.
Which vulnerabilities or security-sensitive pieces of code would you like SonarQube / SonarCloud to detect for you?
Thanks
Alex