Scanner command used when applicable (private details masked) SonarCloudPrepare@4.2.0
Languages of the repository
Error observed (wrap logs/code around with triple quotes ``` for proper formatting)
For SonarCloudPrepare and VisualStudioTestPlatformInstaller a specific version is demanded. You don’t trust your own pipeline task
Steps to reproduce
In the pipeline, following tasks are marked as Securtity Hotspots
- task: SonarCloudPrepare@4
# Use complete version number for the task instead of "4".
displayName: 'Prepare the SonarQube Cloud analysis'
condition: ne(variables['Build.Reason'], 'Schedule')
inputs:
SonarCloud: $(SonarQubeServiceConnection)
organization: $(SonarQubeOrganization)
- task: VisualStudioTestPlatformInstaller@1
# Use complete version number for the task instead of "1".
inputs:
packageFeedSelector: 'nugetOrg'
versionSelector: 'specificVersion'
testPlatformVersion: '17.9.0'
We intentionally treat our own tasks just like any others. Since we don’t see ourselves as an exception to the rules, we recommend version pinning also for our analysis tasks. The only time we waive this requirement is for the out-of-the-box tasks to avoid the “noise”, as this rule would otherwise raise on practically almost all pipelines
That being said, it would be for the best to also pin these versions. Even when one could argue, that if you already trust the Microsoft platform to run your code, you likely trust the standard tasks they provide as part of that ecosystem.
To your VisualStudioTestPlatformInstaller example, this was mistakenly forgotten from the list of out-of-the-box tasks, but I have already created a fix for that which shall silence it in the future. Thanks for letting us know!
