Sonar Cloud Security Configuration

Sonar has a module, Sonar Cloud. How can i set up a thorough secure code review with all the possible vulnerabilities, setting up hotspot. I have worked closely with sonar cloud but failed to find the vulnerabilities in code but other tools report more observations. Also, Sonar Lint is one of the IDE incorporated solution which doesn’t solves my purpose of a secure code. Need help to fine tune the security configuration if any?

Hi,

Welcome to the community!

Taint analysis rules purposely aren’t run in SonarLint because they would drag down the IDE performance.

Are they correct observations? It’s not a quantitative game, but a qualitative one.

And if there are true-positive issues raised by other tools, but not by us, we’re eager to learn of them so we can fix the problem.

 
Ann

Yes, there were many not been reported by Sonar Cloud. Basic hardcoded credentials was even not been reported by Sonar.

I am open to have your support team help me with an SOP to setup a thorough Security Profile.

I am ok, have documentation from your end as well, I am ok to be proved wrong but as mentioned above many of them are not reported by Sonar.

Hi,

Could you give an example of a hardcoded credential that wasn’t picked-up on?

 
Thx,
Ann