Hello there, i am analyzing a c# project,but my project is judged as a test project because the project name contains test,I try to add < sonarqubetestproject > false < / sonarqubetestproject > in csproj file,But there was no change,I tried a lot, but I couldn’t find a solution,I really look forward for your help
In addition, when the project name contains test, bugs can be detected normally, but vulnerability cannot be detected
Hello @alix2021 - welcome to the community.
Which version of the SonarScanner for .NET are you using?
Note that the behaviour of the scanner changed in v5.1 so that the name of the project is no longer taken into account in classifying the project (see ticket #955)
Thank you for your reply. The version I’m using is 4.6.2.2108
I just changed the 5.1 version of sonarscanner, but the vulnerability still can’t be detected, and the bug can still be detected. Then I changed the name of csproj, deleted “test” from the name, and the vulnerability was detected
The documentation says to use the property SonarQubeTestProject
, but the casing is not important; the scanner will recognize sonarqubetestproject
too.
Can you share your project file?
The scanner logs information about how it classifies each project e.g.
Sonar: (ConsoleApp1.csproj) Categorizing project as test or product code...
Sonar: (ConsoleApp1.csproj) SonarQubeTestProject has been set explicitly to false
Sonar: (ConsoleApp1.csproj) Project categorized. SonarQubeTestProject=false
What does it say for your project?
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup>
<SonarQubeTestProject>false</SonarQubeTestProject>
The above is part of the file content, I have added sonarqubetestproject in csproj file。
Then there is the code of a class I used to test。
using System;
using System.Collections.Generic;
using System.Linq;
using System.Security.Cryptography;
using System.Text;
using System.Threading.Tasks;
namespace test1
{
public class Class1
{
void A()
{
AesManaged aes = new AesManaged
{
KeySize = 128,
BlockSize = 128,
Mode = CipherMode.OFB, // Noncompliant
Padding = PaddingMode.PKCS7
};
int i = 0;
int j = 1;
i =+ j;
}
void B()
{
var hashProvider1 = new MD5CryptoServiceProvider(); //Noncompliant
var hashProvider2 = (HashAlgorithm)CryptoConfig.CreateFromName("MD5"); //Noncompliant
var hashProvider3 = new SHA1Managed(); //Noncompliant
var hashProvider4 = HashAlgorithm.Create("SHA1"); //Noncompliant
// ...
Console.WriteLine("so far, so good..."); // Noncompliant
// ...
string username = "admin";
string password = "Password123"; // Noncompliant
string usernamePassword = "user=admin&password=Password123"; // Noncompliant
string usernamePassword2 = "user=admin&" + "password=" + password; // Noncompliant
RSACryptoServiceProvider RSA = new RSACryptoServiceProvider(1024); // Noncompliant
using (var tripleDES = new TripleDESCryptoServiceProvider()) //Noncompliant
{
//...
}
// ...
}
public int instanceData = 32; // Noncompliant
}
}
The project name is “test111”。
Thank you for your reply!
@alix2021 It looks like this bug in the SonarC# plugin. The plugin had its own logic for detecting test code separate from the SonarScanner logic, which is why setting SonarQubeTestProject
did not have any effect on the outcome.
The good news is that the bug has been fixed recently and the fixed version is available on SonarCloud. The less-good news is that the fix is not yet available in SonarQube, although it should be available in the next version.
Additional info:
- v8.19 of the
sonar-csharp-plugin
contains the fix - you can check which version of the plugin you have installed in SonarQube with this call:
http://[your server name]/api/plugins/installed
Thank you for your answer, it’s very helpful to me!
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.