Security Hotspots is reporting a violation that should be suppressed by #pragma

StingyJack · July 22, 2021, 12:43pm

We have a function that has the following code…

#pragma warning disable S4790 // Sonar - usage of known weak hashing algorithm  - <link to jira ticket with the long term fix>
            var algorithm = HashAlgorithm.Create("SHA1") ?? throw new ArgumentException("Failed to create Sha1 hash algorithm");
#pragma warning restore S4790

Despite this suppression , the sonarcloud UI for the project reports this as a security hotspot and to resolve it, I must use the UI (which I currently do not have the access level required in this project despite the fact that it shows me as the author of it) to mark the hotspot as something we know about and have plans to fix later.

Alexandre_Gigleux · July 27, 2021, 7:56am

Thanks Andrew for the feedback. As usual, it’s always precise and relevant.

We just created https://github.com/SonarSource/sonar-dotnet/issues/4724 to investigate further the root cause. #pragma warning disable syntax is supposed to work even for Security Hotspots.

Reading your post, I’ve got the feeling that the real need expressed here is that you would expect to have a status on Security Hotspots to say: “this one has been reviewed and yes there is a problem and it will be handled later”. So basically, you need to have a “Confirmed” status.

Am I correct?

StingyJack · July 27, 2021, 5:51pm

TBH its more of a “Stop reporting this thing that we have a plan for correcting as a problem on the dashboards and in any reports that management looks at” or “Fix planned” status. Confirming is just an acknowledgement and that isnt very different from “Reported”, as its still outstanding.

Alexandre_Gigleux · August 30, 2021, 2:01pm

Thanks for your answer.

I’m aligned with you and I created a card on the SonarQube Portal to track this need.

system · December 10, 2021, 1:21pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.