I use the Sonar CLI tool to scan my C# code. Since I run the CLI in Github Actions, I get a nice list of annotations (analysis warnings) at the bottom of each workflow run. Here is an example:
Notice at the bottom it shows some warnings, such as:
Pass a timeout to limit the execution time. (C# static code analysis: Not specifying a timeout for regular expressions is security-sensitive)
However, I do not see these warnings in my IDE (Jetbrains Rider) when I’m using the SonarAnalyzer.CSharp nuget package. Is it just that the analyzer doesn’t support all the sonar rules? Seems like sonar rules start with
S while the analyzer starts with
RSPEC, so it’s hard to cross-reference things and find out what is going on.
Why do some rules not show up locally for me?
Is the better option to use SonarLint? I’ve never used it before. I see that there is a Rider plugin.