We have an example of a .Net framework MVC project (4.8.1) with unsafe http POST actions on the controller and no ValidateAntiforgeryToken attributes defined on the action, or globally (there is no global.cs) and neither on the cshtml view, yet when SonarCloud performs the scan no ‘Security Hotspots’ are flagged.
We have found this by running an alternative SAST tool (CAST) which identifies this issue correctly.
Is this because in SonarCloud the rule only applies to .Net Core MVC projects rather than .Net Framework MVC?
If not, can you suggest a way I can investigate why this is happening and how I can ensure this potential vulnerability can be detected?
We would ask that you provide code that reproduces the (lack of) issue where you would expect an issue to be raised (whether it is the original code or not). I’ve moved your post to the section on reporting false-negatives.
This rule detects when the anti-CSRF protection is actively disabled and thus, in the case of an .NET Framework application, it does not detect that by default it is unsafe.
We do not have such a rule for .NET Framework. I have created an internal ticket for this false negative. We will address it in the future but I can’t tell you when.