Prevent Code smell being applied from external rule engine (roslyn)

quality-profiles

(Alex) #1

We have a number of c# projects that have a quality gate applied to them that is a reduced (tweak) set of rules copied from the sonar way .

We’re getting code smell issues for things that aren’t present in our c# profile such as

“Make sure that exposing this HTTP endpoint is safe here.”

The issue is detected from an external rule engine in this case Roslyn. How do I prevent these issues from being applied to our code when it isn’t in our quality gate set ?


(Nicolas Harraudeau) #3

Hi @skausr,

Thank you for your feedback.

We have a bug in our current C# and VB .Net analysis. We are working on it and I will come back to you as soon as it is fixed.

In the meantime you can unblock your pull requests by ignoring external roslyn error in your project like this:
Go to your project’s Administration tab > General Settings > External analyzers > C# Ignore issues from external Roslyn analyzers > enable the option. The security hotspot issues will disappear the next time your pull requests are analyzed.

Just to give some context: The issue you mention is a Security Hotspot. Those issues are meant to help security auditors during code reviews. They are created on code which is security-sensitive, i.e. code where vulnerabilities generally occur, but which doesn’t necessarily contain a vulnerability. Security Hotspot issues should never impact the quality gate, nor should they be visible on Pull Requests.

We apologize for the inconvenience.

Best regards,
Nicolas


(Alex) #4

Thanks Nocolas

Do you know when the fix might be in place ?

Thanks

Alex


(Alex) #5

So it seems you might have another issue with ignoring external roslyn sources.

I have ignored them for my sonar project but am still getting “code smell blocking my PR’s”


(Nicolas Harraudeau) #6

Hi @skausr,

The fix should be deployed today. Thank you for your patience.

Regarding the last problem you mention, i.e. still having external roslyn issues after ignoring them, was the pull request analyzed again after the configuration change? The issues are updated only after an analysis.


(Brett Postin) #7

Hi @Nicolas_Harraudeau,

Is there a way to subscribe or be notified when the fix has been deployed?

Many thanks,


(Nicolas Harraudeau) #8

Hi @brett.postin,

I will update this thread as well as the other related ones as soon as it is done. It might take longer than originally planned. We are working to fix this ASAP and we apologize again for the inconvenience.

Did you try disabling the external roslyn issues as described in my first answer?


(Brett Postin) #9

Yes, that does the trick but I’d like to know when it is possible to re-enable.

Thanks for the update.


(Nicolas Harraudeau) #10

Hi @brett.postin, @skausr,

The fix is now deployed on SonarCloud. You can enable back the external roslyn issues.
Thank you again for your patience.

Best regards,
Nicolas