My team is trying to see if Sonarcloud can catch Security Hotspots in the builds for our iOS app. So I made a branch on github, and then looked at one security rule, which is this:
Using hardcoded IP addresses is security-sensitive
swift:S1313
owasp-a3
And then deliberately pasted a code example in the rule, which is like this: let host = "192.168.12.42"
Then I created a pull request which triggered the build in Bitrise. After the build I got a notification:
What this probably means is that SonarQube isn’t detecting the file as having changed in your pull request.
Do you see any details in your scanner logs about SCM Blame, or the detection of changed files (specifically warnings/errors). If you turn on DEBUG logging (sonar-scanner -X) do you see the file has been indexed?
I turned on the debug logging by adding this property to SonarQube: sonar.log.level=DEBUG and run the pull request job again on Bitrise.
I could see that the file where I put the code violating security being picked up:
14:40:55.901 DEBUG: file=/Users/vagrant/git/.git/objects/.probe-b8ba273c-cc39-41a4-9d32-d189bc2340f5, lastModified changed from 2023-02-21 14:40:55.901222000 to 2023-02-21 14:40:55.901747000
14:40:55.902 DEBUG: 'Econ/App/Launch/SplashViewController.swift' indexed with language 'swift'
14:41:01.815 DEBUG: 'Econ/App/Launch/SplashViewController.swift' generated metadata with charset 'UTF-8'
But those are the only ones mentioning the file in the log. There’s still no security violation report.