Sonar Analyzer for C# does not show everything that appear on the CLI

voidpointer · August 30, 2023, 12:56pm

I use the Sonar CLI tool to scan my C# code. Since I run the CLI in Github Actions, I get a nice list of annotations (analysis warnings) at the bottom of each workflow run. Here is an example:

https://github.com/recyclarr/recyclarr/actions/runs/6020457126

Notice at the bottom it shows some warnings, such as:

Pass a timeout to limit the execution time. (C# static code analysis: Not specifying a timeout for regular expressions is security-sensitive)

However, I do not see these warnings in my IDE (Jetbrains Rider) when I’m using the SonarAnalyzer.CSharp nuget package. Is it just that the analyzer doesn’t support all the sonar rules? Seems like sonar rules start with S while the analyzer starts with RSPEC, so it’s hard to cross-reference things and find out what is going on.

Why do some rules not show up locally for me?

Is the better option to use SonarLint? I’ve never used it before. I see that there is a Rider plugin.

Colin · August 30, 2023, 2:10pm

Hey there.

This rule is considered a hotspot (a concept that will probably be gone by the end of this year) but for now refers to code that requires review before deciding if it’s a real issue or not. These are only available in SonarQube/SonarCloud (see GitHub issue) – but due to how analysis is executed and results are fed to SonarQube, are available as build warnings (that’s not where we expect most users to spend time looking at issues, rather than the UI).

system · September 6, 2023, 2:11pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.