I’m using SonarQube sonarqube-8.2.0.32929 community edition, sonar scanner sonar-scanner-msbuild-4.7.1.2311-net46
I’m trying to validate C# rules using SonarQube 8.2, rules that I have already validated on SonarQube 8.1, as part of our development product. On version 8.2 it seems the Security Hotspots warnings are not considered in the report:
E.g. Analyzing :
using System.Net;
namespace SonarQubeToolVerification.SecurityHotspot.Warnings
{
public class S1313Warning
{
public void HardcodedIPWarning()
{
var ip = “192.168.12.42”;
var address = IPAddress.Parse(ip);
}
}
}
Waiting for Security Hotspots warning:
S1313: Using hardcoded IP addresses is security-sensitive
but nothing displayed in the report.
It was working fine in the version 8.1
Hello,
Welcome to the SonarQube community and thanks for your feedback.
I did a quick scan using a Solution targeting .NET Framework 4.8 and a fresh download of SonarQube 8.2 and I can see the Security Hotspot:
Did you check the new Security Hotspots page ?
Thanks
Alex
Thank you Alex for your quick input.
I'm aware that within 8.2 version the UI design has changed. I did check the new Security Hotspots page but there is nothing to review. I've noticed you are using .NET Framework 4.8 version and I'm using the 4.7.2 one. I will upgrade my .NET framework and see if it is going to work.
Thank you!
Felix
Hello Felix,
The version of .NET Framework should not impact the behavior of the rules but I can see in your screenshot you named your project TestTool. The name in SonarQube has no impact but there is a great chance that your file is not scanned at all because it is considered as a Test file because your project (.csproj) is considered as a Test project (ie: project containing only unit test files)
Check if you are in the conditions described in the section Detection of Test Projects in SonarScanner for .NET such as:
Projects with names ending in “Test” or “Tests”
Alex
Hello Alex,
I have run the same project under the name ReportViewer and I got the same result.
I will try to install the 8.2 SonarQube version from scratch (Previously, I did an upgrade from 8.1) on another computer to see if it will work.
Thank you Alex!
Felix
Can you upload your reproducer here so I can scan it on my side? (the entire solution directory zipped to be sure to be as close as possible to your context)
Did you check if you see your file in the Code tab? If it’s not there, it means it is not scanned.
Alex
Hello Alex,
The class is scanned because it is the only one that I’m scanning from the project. Others classes are excluded from the project. Under the code tab I got:
Thank you!
Felix
Hello Alex,
I have tried to upload the solution as .7z files but I’m not allowed to do this.
Thank you!
Felix
Hello Alex,
The problem is in our solution branch. I have tried an old version where 8.1 was working fine and I noticed also 8.2 is working fine. I got the expected results:
When I will find what was the problem I will let you know.
Thank you!
Felix
Hello Alex,
I have found where the problem was. Because this reference: Microsoft.VisualStudio.QualityTools.UnitTestFramework.dll. I have just removed it and now everything is working fine.
Thank you!
Felix
Hello Alex,
Actually we need that dll "Microsoft.VisualStudio.QualityTools.UnitTestFramework.dll". I can't validate some other rules that need this reference:
E.g.:
S1607: Tests should not be ignored
and the code:
using Microsoft.VisualStudio.TestTools.UnitTesting;
/// Tests should not be ignored
///
/// When a test fails due, for example, to infrastructure issues, you might want to ignore it temporarily. But without some kind of
/// notation about why the test is being ignored, it may never be reactivated.
/// Such tests are difficult to address without comprehensive knowledge of the project, and end up polluting their projects.
///
namespace SonarQubeToolVerification.CodeSmell.Warnings
{
public class S1607Warning
{
[TestMethod]
// Noncompliant
[Ignore]
public void Test_DoTheThing()
{
// …
}
}
}
Do you have any suggestion, please?
Thank you!
Felix
Hello,
I understand what you are scanning is a fake Solution to validate the behavior of our rules and all the code is in the same Project (.csproj).
I suggest to have a Solution made of 2 Projects (so 2 .csproj): one with the .cs files related to test rules and one with the others. This way you can add the reference to the UnitTestFramework.dll only on the Test project.
Alex
