Security Hotspot warnings not displayed on the Security Hotspots page on SonarQube 8.2 version community edition

I’m using SonarQube sonarqube-8.2.0.32929 community edition, sonar scanner sonar-scanner-msbuild-4.7.1.2311-net46
I’m trying to validate C# rules using SonarQube 8.2, rules that I have already validated on SonarQube 8.1, as part of our development product. On version 8.2 it seems the Security Hotspots warnings are not considered in the report:

E.g. Analyzing :

using System.Net;

namespace SonarQubeToolVerification.SecurityHotspot.Warnings
{
public class S1313Warning
{
public void HardcodedIPWarning()
{
var ip = “192.168.12.42”;
var address = IPAddress.Parse(ip);
}
}
}

Waiting for Security Hotspots warning:
S1313: Using hardcoded IP addresses is security-sensitive

but nothing displayed in the report.
It was working fine in the version 8.1

Hello,

Welcome to the SonarQube community and thanks for your feedback.

I did a quick scan using a Solution targeting .NET Framework 4.8 and a fresh download of SonarQube 8.2 and I can see the Security Hotspot:

Did you check the new Security Hotspots page ?

Thanks
Alex

Thank you Alex for your quick input.

 I'm aware that within 8.2 version the UI design has changed. I did check the new Security Hotspots page but there is nothing to review. I've noticed you are using .NET Framework 4.8 version and I'm using the 4.7.2 one. I will upgrade my .NET framework and see if it is going to work.

Thank you!

Felix

Hello Felix,

The version of .NET Framework should not impact the behavior of the rules but I can see in your screenshot you named your project TestTool. The name in SonarQube has no impact but there is a great chance that your file is not scanned at all because it is considered as a Test file because your project (.csproj) is considered as a Test project (ie: project containing only unit test files)

Check if you are in the conditions described in the section Detection of Test Projects in https://docs.sonarqube.org/latest/analysis/scan/sonarscanner-for-msbuild/ such as:

Projects with names ending in “Test” or “Tests”

Alex

Hello Alex,

 I have run the same project under the name ReportViewer and I got the same result.

I will try to install the 8.2 SonarQube version from scratch (Previously, I did an upgrade from 8.1) on another computer to see if it will work.

Thank you Alex!

Felix

Can you upload your reproducer here so I can scan it on my side? (the entire solution directory zipped to be sure to be as close as possible to your context)

Did you check if you see your file in the Code tab? If it’s not there, it means it is not scanned.

Alex

Hello Alex,

The class is scanned because it is the only one that I’m scanning from the project. Others classes are excluded from the project. Under the code tab I got:

Thank you!

Felix

Hello Alex,

I have tried to upload the solution as .7z files but I’m not allowed to do this.

Thank you!

Felix

Hello Alex,

 The problem is in our solution branch. I have tried an old version where 8.1 was working fine and I noticed also 8.2 is working fine. I got the expected results:

When I will find what was the problem I will let you know.

Thank you!

Felix

Hello Alex,

I have found where the problem was. Because this reference: Microsoft.VisualStudio.QualityTools.UnitTestFramework.dll. I have just removed it and now everything is working fine.

Thank you!

Felix

Hello Alex,

 Actually we need that dll "Microsoft.VisualStudio.QualityTools.UnitTestFramework.dll". I can't validate some other rules that need this reference:

E.g.:
S1607: Tests should not be ignored

and the code:

using Microsoft.VisualStudio.TestTools.UnitTesting;

/// Tests should not be ignored
///


/// When a test fails due, for example, to infrastructure issues, you might want to ignore it temporarily. But without some kind of
/// notation about why the test is being ignored, it may never be reactivated.
/// Such tests are difficult to address without comprehensive knowledge of the project, and end up polluting their projects.
///

namespace SonarQubeToolVerification.CodeSmell.Warnings
{
public class S1607Warning
{
[TestMethod]
// Noncompliant
[Ignore]
public void Test_DoTheThing()
{
// …
}
}
}

Do you have any suggestion, please?

Thank you!

Felix

Hello,

I understand what you are scanning is a fake Solution to validate the behavior of our rules and all the code is in the same Project (.csproj).
I suggest to have a Solution made of 2 Projects (so 2 .csproj): one with the .cs files related to test rules and one with the others. This way you can add the reference to the UnitTestFramework.dll only on the Test project.

Alex

Thank you Alex!

Felix