Not possible to disable a rule for JsSecuritySensor

I’m using version 8.9 LTS
I have disable some security rules , because otherwise to scan small project i need to wait around 40 minutes.

sonar.issue.ignore.multicriteria=e1,e2,e3,e4,e5,e6
sonar.issue.ignore.multicriteria.e1.ruleKey=jssecurity:S3649
sonar.issue.ignore.multicriteria.e1.resourceKey=**/*
sonar.issue.ignore.multicriteria.e2.ruleKey=pythonsecurity:S3649
sonar.issue.ignore.multicriteria.e2.resourceKey=**/*
sonar.issue.ignore.multicriteria.e3.ruleKey=roslyn.sonaranalyzer.security.cs:S3649
sonar.issue.ignore.multicriteria.e3.resourceKey=**/*
sonar.issue.ignore.multicriteria.e4.ruleKey=javasecurity:S3649
sonar.issue.ignore.multicriteria.e4.resourceKey=**/*
sonar.issue.ignore.multicriteria.e5.ruleKey=tssecurity:S3649
sonar.issue.ignore.multicriteria.e5.resourceKey=**/*
sonar.issue.ignore.multicriteria.e6.ruleKey=phpsecurity:S3649
sonar.issue.ignore.multicriteria.e6.resourceKey=**/*

How ever this is completely not take into account because rules are still apply.

INFO: Running symbolic analysis

INFO: rule: S5131 done

INFO: rule: S5146, entrypoints: 449

INFO: Running symbolic analysis

INFO: rule: S5146 done

INFO: rule: S2631, entrypoints: 449

INFO: Running symbolic analysis

INFO: rule: S2631 done

INFO: rule: S3649, entrypoints: 449

INFO: Running symbolic analysis

INFO: rule: S3649 done

INFO: rule: S6105, entrypoints: 449

INFO: Running symbolic analysis

INFO: rule: S6105 done

INFO: rule: S5883, entrypoints: 449

INFO: Running symbolic analysis

INFO: rule: S5883 done

INFO: rule: S6096, entrypoints: 449

INFO: Running symbolic analysis

Hello David,

In order to deactivate a rule, you need to create a custom Quality Profile where the rule is NOT activated. Then you need to associate this new Quality Profile to your project.

That said, can you share some details about your project such as the logs of the analysis and the number of JS LOCs? Having to wait 40min is indeed not the kind of performance we expect on JS projects with SQ 8.9 LTS. The expectation is to be able to process 950+ LOCs per second for a project made of mainly JS code.

Alex

Yes, I did that, and works fine. But what about parameters?, saw your post that it was fixed in version 9.1 but latest LTS in 8.9.

Hello,

I don’t understand what you mean by “what about parameters”.

If you want to get the best analysis performance, you should use the latest version of SonraQube (9.3 as of now) where we enhanced the performance of our taint analyzer.

Alex

Hi,
what I mean is that sonar properties are not take into account in latest LTS. And my company informed that is following the best practices, which you recommend LTS version (maybe we are wrong?). So it’s confusing regarding your policy, that version LTS is recommended, but bugs are not ported to latest LTS, then for what LTS version is used for?
Thanks

This property is there to control which issues you don’t want to see or not in the UI. The property has no impact on the fact the rules are running or not in the analyzer part. It’s probably misleading I admit it.

The recommendation is to stay on the LTS is you want stable features. We do backport Blocker problems on the LTS. Since the first release of the 8.9 LTS, we already provided 7 bug fix releases.

We do consider “Speed” as a feature and so any change we do to improve the speed of the analysis is done in the latest version. You should accept to use the latest version of SonarQube if you want the fastest analyzers.

Alex

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.