Sonarqube Version - v9.9 LTS Sonarqube Data Center Edition
Deployed through Zip
Recently we upgraded from 9.8 to the latest LTS version.
Post Upgrade there was a sudden spike in Vulnerabilities for one of the projects and all this was reported by this one rule.
(Rule: I/O function calls should not be vulnerable to path injection attacks, ID: roslyn.sonaranalyzer.security.cs:S2083).
The issue here is there were no changes made to the source code and all these new vulnerabilities were reported in the overall code. (Also this project is using the default Quality Profile and Quality Gate both before and after the upgrade)
I’m trying to understand what might be the cause of this.
I noticed there was only one new rule(csharpsquid:S6444) added and one removed(csharpsquid:S4214) from the C# profile in this version. So this is totally not related.
Any help/suggestions is very much appreciated.
Please let me know if any more information is required.
I’m sorry, I didn’t exactly understand what you mean by Rule Implementations, also are these implementation changes listed as part of the changelog?
The Rule that flags these vulnerabilities has already reported some issues during the previous scans and those were either fixed or marked as WF/FP.
Though most of the issues raised now were FP, still what could be the cause of these issues being reported now. (In some files, the same RULE as flagged issues during the previous scans but in different lines)
The rules themselves become smarter during SonarQube upgrades, to suppress false-positive and fix false-negatives (where an issue should have been raised, but couldn’t be, due to an error in the logic or not supporting a specific framework).