Problem with C# project analysis,I set the sonarqubetestproject property in the csproj file

Hello there, i am analyzing a c# project,but my project is judged as a test project because the project name contains test,I try to add < sonarqubetestproject > false < / sonarqubetestproject > in csproj file,But there was no change,I tried a lot, but I couldn’t find a solution,I really look forward for your help

In addition, when the project name contains test, bugs can be detected normally, but vulnerability cannot be detected

Hello @alix2021 - welcome to the community.

Which version of the SonarScanner for .NET are you using?

Note that the behaviour of the scanner changed in v5.1 so that the name of the project is no longer taken into account in classifying the project (see ticket #955)

Thank you for your reply. The version I’m using is

I just changed the 5.1 version of sonarscanner, but the vulnerability still can’t be detected, and the bug can still be detected. Then I changed the name of csproj, deleted “test” from the name, and the vulnerability was detected

The documentation says to use the property SonarQubeTestProject, but the casing is not important; the scanner will recognize sonarqubetestproject too.

Can you share your project file?

The scanner logs information about how it classifies each project e.g.

  Sonar: (ConsoleApp1.csproj) Categorizing project as test or product code...
  Sonar: (ConsoleApp1.csproj) SonarQubeTestProject has been set explicitly to false
  Sonar: (ConsoleApp1.csproj) Project categorized. SonarQubeTestProject=false

What does it say for your project?

<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" DefaultTargets="Build" xmlns="">

The above is part of the file content, I have added sonarqubetestproject in csproj file。
Then there is the code of a class I used to test。

using System;
using System.Collections.Generic;
using System.Linq;
using System.Security.Cryptography;
using System.Text;
using System.Threading.Tasks;

namespace test1
    public class Class1
        void A()
            AesManaged aes = new AesManaged
                KeySize = 128,
                BlockSize = 128,
                Mode = CipherMode.OFB, // Noncompliant
                Padding = PaddingMode.PKCS7
            int i = 0;
            int j = 1;
            i =+ j;
        void B()
            var hashProvider1 = new MD5CryptoServiceProvider(); //Noncompliant
            var hashProvider2 = (HashAlgorithm)CryptoConfig.CreateFromName("MD5"); //Noncompliant
            var hashProvider3 = new SHA1Managed(); //Noncompliant
            var hashProvider4 = HashAlgorithm.Create("SHA1"); //Noncompliant
            // ...
            Console.WriteLine("so far, so good..."); // Noncompliant
            // ...
            string username = "admin";
            string password = "Password123"; // Noncompliant
            string usernamePassword = "user=admin&password=Password123"; // Noncompliant
            string usernamePassword2 = "user=admin&" + "password=" + password; // Noncompliant
            RSACryptoServiceProvider RSA = new RSACryptoServiceProvider(1024); // Noncompliant
            using (var tripleDES = new TripleDESCryptoServiceProvider()) //Noncompliant
            // ...	
        public int instanceData = 32; // Noncompliant	

The project name is “test111”。

Thank you for your reply!

@alix2021 It looks like this bug in the SonarC# plugin. The plugin had its own logic for detecting test code separate from the SonarScanner logic, which is why setting SonarQubeTestProject did not have any effect on the outcome.

The good news is that the bug has been fixed recently and the fixed version is available on SonarCloud. The less-good news is that the fix is not yet available in SonarQube, although it should be available in the next version.

Additional info:

  • v8.19 of the sonar-csharp-plugin contains the fix
  • you can check which version of the plugin you have installed in SonarQube with this call: http://[your server name]/api/plugins/installed

Thank you for your answer, it’s very helpful to me!

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.