S6967 - ModelState.IsValid on GET with simple types - false positive?

SonarQube for IDE Visual Studio
1

Please provide

  • Operating system: Windows 11
  • Visual Studio version: 18.4.0
  • SonarQube for Visual Studio plugin version: 9.9.0.16495
  • Programming language you’re coding in: C#
  • Is connected mode used:
    • SonarQube Cloud, SonarQube Server, or SonarQube Community Build? (if one of the latter two, which version?): No

And a thorough description of the problem / question:
Scanner is flagging controller GET actions as requiring ModelState.IsValid checks. I recently updated the scanner so I’m not sure if this is a problem with the latest version or if this is just an edge case.

Example:

```
[HttpGet]
public async Task EditAsync(Guid? guid)
{
var viewModel = await CreateViewModelAsync(guid);
return View(viewModel);
}
```

The linter flags EditAsync for csharpsquid:S6967 with high severity.

2

Update, it appears the rule is flagged for anything other than a string.

5

Hi @CWDev,

You are correct, this is a false positive. This is a known issue and the rule should not raise when action parameters are simple types (primitives, structs like Guid, DateTime, etc.) with no validation attributes — there is nothing meaningful to validate via ModelState.IsValid in those cases.

This is tracked publicly in sonar-dotnet#9262. You can follow that issue for updates. As a workaround in the meantime, you can suppress the issue with a #pragma warning disable S6967 comment on the affected action.