Security Hotspots Reappearing After Review

Lee_Phillips · August 14, 2023, 4:56pm

We are currently undergoing the process of using Sonar Cloud for all of our projects. We are planning on using Sonar to automatically break the build on our ADO hosted git repos and have set our quality gates to break on Bugs, Vulnerabilities and incomplete security reviews.

I am running into an issue where I have gone through the security review several times for the same hotspot despite marking the hotspot as safe on multiple prior reviews.

It seems every time new code is merged to our develop branch the security review does not remember that the hotspot has already been reviewed and marked as safe.

Additionally to this I am getting some errors raised against code that has already been changed to fix the security issue, but the file shown in sonar is an old version of the code.

Colin · August 15, 2023, 9:41am

Hey there.

What language(s) are you analyzing, and how is your Azure DevOps piplien configured? Feel free to share the Azure DevOps pipeline YAML here (or at least, an example of one where the SonarCloud project exhibits this behavior)

Lee_Phillips · August 17, 2023, 9:42am

The language in question is C#.

Two issues as an example that re-occur after already being marked safe in review are.

An open CORS policy.
A local connection string in an appconfig.

Section of the YML dealing with SONAR is here.

steps:
      - checkout: self
      - task: SonarCloudPrepare@1
        inputs:
          SonarCloud: 'SonarCloud 2.0'
          organization: '<OurOrganization>'
          scannerMode: 'MSBuild'
          projectKey: '<OurProjectKey>'
          extraProperties: |
            sonar.cs.opencover.reportsPaths=$(Build.SourcesDirectory)/Coverlet/coverage.opencover.xml
      - task: DotNetCoreCLI@2
        displayName: Restore
        inputs:
          command: restore
          projects: $(BuildParameters.RestoreBuildProjects)
          feedsToUse: config
          nugetConfigPath: "nuget.config"
      - task: DotNetCoreCLI@2
        displayName: Build
        inputs:
          projects: $(BuildParameters.RestoreBuildProjects)
          arguments: "--configuration $(BuildConfiguration)"
      - task: DotNetCoreCLI@2
        displayName: Test
        inputs:
          command: test
          projects: $(BuildParameters.TestProjects)
          arguments: >-
            --configuration $(BuildConfiguration)
            /p:Threshold=$(CodeCoverageThreshold)
            /p:CollectCoverage=true
            /p:CoverletOutputFormat="json%2ccobertura%2copencover"
            /p:CoverletOutput=$(Build.SourcesDirectory)/Coverlet/
            /p:MergeWith=$(Build.SourcesDirectory)/Coverlet/coverage.json
            /p:ExcludeByFile="**/*.Designer.cs"
      - task: SonarCloudAnalyze@1
      - task: SonarCloudPublish@1
        inputs:
          pollingTimeoutSec: '300'

Colin · August 17, 2023, 12:12pm

Thanks.

The behavior you’re describing sounds like it could be the result of a non-clean (non-full) build happening, which SonarCloud needs. Without this, the Security Hotspots get closed and then reopened when some code is missing or analysis isn’t complete.

One way to check is looking at the Activity tab of your project. Do you see any wild variations for metrics like Lines of Code or Issues over time?

Lee_Phillips · August 18, 2023, 2:36pm

The builds are from Azure Devops Build Agents automatically triggered on a Pull request so these builds should be full builds every time?

Colin · August 21, 2023, 8:37am

Yes, especially when you’re building your main branch. Are they currently configured as an incremental build?