Post Upgrade to LTS, there is a spike in Vulnerabilities Reported


Sonarqube Version - v9.9 LTS Sonarqube Data Center Edition
Deployed through Zip

Recently we upgraded from 9.8 to the latest LTS version.

Post Upgrade there was a sudden spike in Vulnerabilities for one of the projects and all this was reported by this one rule.
(Rule: I/O function calls should not be vulnerable to path injection attacks,

Before Upgrade

After Upgrade

The issue here is there were no changes made to the source code and all these new vulnerabilities were reported in the overall code. (Also this project is using the default Quality Profile and Quality Gate both before and after the upgrade)

I’m trying to understand what might be the cause of this.
I noticed there was only one new rule(csharpsquid:S6444) added and one removed(csharpsquid:S4214) from the C# profile in this version. So this is totally not related.

Any help/suggestions is very much appreciated.
Please let me know if any more information is required.

Thanks in Advance.


Hey there.

Rule implementations change from version to version, and in good news, such issues are backdated so that they don’t infect your New Code Period.

Are the new issues being raised valid issues?

Hi @Colin,

Thanks for your response.

I’m sorry, I didn’t exactly understand what you mean by Rule Implementations, also are these implementation changes listed as part of the changelog?

The Rule that flags these vulnerabilities has already reported some issues during the previous scans and those were either fixed or marked as WF/FP.

Though most of the issues raised now were FP, still what could be the cause of these issues being reported now. (In some files, the same RULE as flagged issues during the previous scans but in different lines)


The rules themselves become smarter during SonarQube upgrades, to suppress false-positive and fix false-negatives (where an issue should have been raised, but couldn’t be, due to an error in the logic or not supporting a specific framework).

So I return to this question:

Hi @Colin,

Thanks for your response.

The new issues that were raised are not valid for this source code.


I would recommend sharing the details here (see the following post):

Got it, Will do it! Thanks @Colin!

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.