My team is trying to see if Sonarcloud can catch Security Hotspots in the builds for our iOS app. So I made a branch on github, and then looked at one security rule, which is this:
Using hardcoded IP addresses is security-sensitive
And then deliberately pasted a code example in the rule, which is like this:
let host = "192.168.12.42"
Then I created a pull request which triggered the build in Bitrise. After the build I got a notification:
Kudos, SonarCloud Quality Gate passed! Quality Gate passed
Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells
So it seems like SonarCloud did not catch the Security error in the code.
I looked for a version and this is the only one I found:
Let me know if I need to provide more info.
Do you see the code in the Code tab of your pull request on SonarCloud?
Hi. Thanks for replying.
I only see a search bar on the Code tab, but otherwise it’s empty.
What this probably means is that SonarQube isn’t detecting the file as having changed in your pull request.
Do you see any details in your scanner logs about SCM Blame, or the detection of changed files (specifically warnings/errors). If you turn on
DEBUG logging (
sonar-scanner -X) do you see the file has been indexed?
I turned on the debug logging by adding this property to SonarQube:
sonar.log.level=DEBUG and run the pull request job again on Bitrise.
I could see that the file where I put the code violating security being picked up:
14:40:55.901 DEBUG: file=/Users/vagrant/git/.git/objects/.probe-b8ba273c-cc39-41a4-9d32-d189bc2340f5, lastModified changed from 2023-02-21 14:40:55.901222000 to 2023-02-21 14:40:55.901747000
14:40:55.902 DEBUG: 'Econ/App/Launch/SplashViewController.swift' indexed with language 'swift'
14:41:01.815 DEBUG: 'Econ/App/Launch/SplashViewController.swift' generated metadata with charset 'UTF-8'
But those are the only ones mentioning the file in the log. There’s still no security violation report.