Rule violations not reported to SonarCloud

csharp
vsts
dotnet
(JulienP) #1

Hello.

I’ve setup my Azure Devops pipelin with SonarCloud analysis, using the integrated MSBuild scanner.

During the build step, the output log lists many rule violations. I am building the main branch, so all code is scanned.

Some of the violations are from active rules. However, when consulting the SonarCloud issues tab, these violations are not displayed. The same behavior occurs with SonarLint in Visual Studio, with violations not being raised at all. One such rule is S2245.

I am building a single solution with many projects. I can see all source code in the SonarCloud ‘code’ tab, yet many violations that should be listed are not.

Is there a way to get Sonar to actually report on all active rules?

Thank you

(Amaury Levé) #3

Hi @jpineault,

Would you mind sharing the log of the end step build task? This will help us diagnose what goes wrong with the analysis.

Cheers,
Amaury

(JulienP) #4

Hi Amaury.

Thank you for your reply. Here is the log. Note that many of the warnings shown are of rules disable in the quality profile.

Thanks

build_step_output.txt (285.6 KB)

(JulienP) #5

Hi @Ammo.

Do you have an update for this?

Thanks!

(JulienP) #6

Hi @Ammo .

Do you have any new insight into this issue?

Thanks!

(JulienP) #8

Hi @Ammo!

Do you have any updates on this issue?

Keep it going!

(Andrei Epure) #10

Hi @jpineault . Please accept my apologies for the delayed reply.

It seems to me that the rules you are talking about are Security Hotspots - like S2245, for example. You can read about this type of issues in the blog article Pragmatic Application Security - The SonarSource Way and in more detail in the Security Reports section.

To go through the Security Hotspots in your project, you need to go to the Security Reports tab.
image

And you will see two types of issues: Vulnerabilities and Security Hotspots (please read the docs for the difference between Vulnerabilities and Security Hotspots).

We are not raising Security Hotspots in the IDE via :sonarlint: because they need manual review - whether there’s a security problem or not depends on the context. For example, storing data in a cookie is security sensitive - whether that data is safe to be stored in the cookie or not needs manual triage.

I hope this explains why these issues appear in the logs and not in the main :sonarcloud: UI.

1 Like