We currently run SonarQube version 7.9.1 for our TFS2019 (ADO) C# code. We use the SonarQube TFS extensions for this analysis, and all is well.
So, to test the new version of SonarQube we installed version 8.9.1 next to the current version, and created a new (TFS2019) pipeline to use the new SonarQube version. So, the only difference in this build is the SonarQube version. Results are shown, but no OWASP Top 10 messages are found. In the 7.9.1 version there are about 100+ results.
We cannot figure out why the difference. We know there can be changes in the active (OWASP) rules, but we know for sure some issues should be found in the new SonarQube version (those rules are active). Furthermore, some other Security Categories have issues registered. We also know that OWASP top10 works for some Java projects we have tested.
Any idea’s why we don’t get OWASP issues shown in the new SonarQube version? TFS build server is up-to-date for all needed components (as far as we know).
This is not expected because obviously our security rules (vulnerability or hotspot) are mapped to OWASP Top 10 2017 categories and issues should be raised and visible in the Security Category filter on the Issues page.
Did you check if you have Vulnerability and Hotspot rules activated on your C# Quality Profile?
Here is what is activated by default:
Thank you Alexandre for your input. Yes, we did check that and looks alright. In the mean time we used another (larger) project and now we got some results. It looks like:
there are fewer rules in the new version (we can check that ourselves)
and/or
rules are judged differently, so that they don’t show anymore based on our code (of less often).
Can you comment on that, is it common practice (or known) that in the new version less OWASP issues are shown, based on the same code?
I did some archeology and SonarQube 7.9.x DE was coming for C# with:
26 Vulnerabilities
16 Hotspots
SonarQube 9.1 DE is provided for C# with:
33 Vulnerabilities
27 Hotspots
So just from the figures, we provide more rules for C# today than in the past.
Version after version we are doing our best to remove false-positive issues. I believe you are certainly in such context were in the past a couple of security rules were raising issues that were FPs and were fixed with latest versions of SonarQube.
