I’ve setup my Azure Devops pipelin with SonarCloud analysis, using the integrated MSBuild scanner.
During the build step, the output log lists many rule violations. I am building the main branch, so all code is scanned.
Some of the violations are from active rules. However, when consulting the SonarCloud issues tab, these violations are not displayed. The same behavior occurs with SonarLint in Visual Studio, with violations not being raised at all. One such rule is S2245.
I am building a single solution with many projects. I can see all source code in the SonarCloud ‘code’ tab, yet many violations that should be listed are not.
Is there a way to get Sonar to actually report on all active rules?
To go through the Security Hotspots in your project, you need to go to the Security Reports tab.
And you will see two types of issues: Vulnerabilities and Security Hotspots (please read the docs for the difference between Vulnerabilities and Security Hotspots).
We are not raising Security Hotspots in the IDE via because they need manual review - whether there’s a security problem or not depends on the context. For example, storing data in a cookie is security sensitive - whether that data is safe to be stored in the cookie or not needs manual triage.
I hope this explains why these issues appear in the logs and not in the main UI.