Security Hotspots is reporting a violation that should be suppressed by #pragma

We have a function that has the following code…

#pragma warning disable S4790 // Sonar - usage of known weak hashing algorithm  - <link to jira ticket with the long term fix>
            var algorithm = HashAlgorithm.Create("SHA1") ?? throw new ArgumentException("Failed to create Sha1 hash algorithm");
#pragma warning restore S4790

Despite this suppression , the sonarcloud UI for the project reports this as a security hotspot and to resolve it, I must use the UI (which I currently do not have the access level required in this project despite the fact that it shows me as the author of it) to mark the hotspot as something we know about and have plans to fix later.

Thanks Andrew for the feedback. As usual, it’s always precise and relevant.

We just created https://github.com/SonarSource/sonar-dotnet/issues/4724 to investigate further the root cause. #pragma warning disable syntax is supposed to work even for Security Hotspots.

Reading your post, I’ve got the feeling that the real need expressed here is that you would expect to have a status on Security Hotspots to say: “this one has been reviewed and yes there is a problem and it will be handled later”. So basically, you need to have a “Confirmed” status.

Am I correct?

TBH its more of a “Stop reporting this thing that we have a plan for correcting as a problem on the dashboards and in any reports that management looks at” or “Fix planned” status. Confirming is just an acknowledgement and that isnt very different from “Reported”, as its still outstanding.