Security hotspot not reported on any branch but master

SonarCloud
1

Hello,

SQ reports a security hotspot on one of my projects. Please see https://sonarcloud.io/project/security_hotspots?id=com.github.sbaudoin%3Asonar-ansible

The line that is liable to the issue is the following:

        Matcher oldSplitter = Pattern.compile("^(.*):([0-9]+): \\[E([^\\[]+)\\] (.*)$").matcher(rawIssue);

But if I create a branch to try to fix the issue, the hotspot is not detected. Please see https://sonarcloud.io/project/security_hotspots?branch=java_S5852&id=com.github.sbaudoin%3Asonar-ansible

        Matcher oldSplitter  = Pattern.compile("^(.*):([0-9]+): \\[E([^\\[]+)\\] (.*)$").matcher(rawIssue);
        Matcher oldSplitter2 = Pattern.compile("^(.*):([0-9]+): \\[E([^\\[]+)\\] (.+)$").matcher(rawIssue);
        Matcher oldSplitter3 = Pattern.compile("^(.*):([0-9]+): \\[E([^\\[]+)\\] (.*)$").matcher(rawIssue);

We can find above the first that causes the issue on the master branch (I added an extra space to ease visual comparison): it is not reported as buggus (neither is the 3rd line, which is exactly the same), but the second line is. From this we can say that * does not seem to cause the issue, but in the master branch it does.

Do you know what is wrong in the master branch?

Regards,

Sylvain

2

Hi Sylvain,

I am not sure if this answers your question but in general issues that are detected on the main branch will not be reported on subsequent analyses of PRs that branch off from that main branch, since PR analysis only report differences with the main branch (i.e., basically only issues that were not detected on the main branch and are therefore considered to have been added by the PR itself). Sometimes this difference detection gerts a bit confused and you see some issues on the PR analysis that were not the result of a change to the PR.

3

Hello,

Thanks for the reply. I eventually understood that the issue on the master branch are not reported on my branch. That’s why I copied/pasted the code that has the issue but the copy does not raise an issue on the branch. So a code change on a branch does not seem to be bogus on the branch but will certainly be once merged on the master branch. It is a matter of regexp, not so easy to understand and fix, so I wanted to fix it with a try-and-error approach but it does not seem possible.