Sonar scanning not catching the issues reported by Microsoft Scanning

praveenv · October 7, 2024, 1:14pm

Our code is submitted into Microsoft for their code review, and below category of issues are reported by them. we would like to know, how come sonar scanning not catching these issues? Is it possible to guide us on this?

Always create TaskCompletionSource with TaskCreationOptions.RunContinuationsAsynchronously
Async void
Avoid Calling Obsolete Members
Avoid Expensive Reflection Calls
Avoid Exposed Controller Actions
Avoid Poor Allocation Pattern
Consider Replacing XmlDocument with XElement
Do not raise reserved exception types
Do not store IHttpContextAccessor.HttpContext in a field
Explicitly Call Dispose or Close on Resources You Open
Implement All Exception Handlers
Lock Generic Dictionaries
Pool HTTP connections with HttpClientFactory
Prefer async/await over directly returning Task
Prefer TryParse Over Parse Methods
Use Try and Finally on Disposable Resources

Colin · October 8, 2024, 12:04pm

Hey there.

You’re submitting your code to Microsoft for… manual review? To be run through a special tool? Something else?
What version of SonarQube are you using?

I’m sure some of these rules exist in the latest version of SonarQube: like S6292: You should pool HTTP connections with HttpClientFactory. At the same time, I don’t expect them all to exist in SonarQube (and without a thorough description of each rule, and code samples where you expect an issue to be raised, nobody will be able to give you a complete answer)

praveenv · October 9, 2024, 7:12am

I want to review all these issues, I can share the details what you need. Is there a way, I can get this added as rules and address the issues.

Colin · October 9, 2024, 7:40am

New rules don’t appear out of nowhere. They require development time, thoughtful planning if they fit into our roadmap/priorities, and demand from users… You are welcome to provide feedback (and we encourage it), but we won’t be able to wave a magic wand and fill in the blanks (if they exist) immediately.

praveenv · November 8, 2024, 1:05pm

You’re submitting your code to Microsoft for… manual review? To be run through a special tool? Something else? PraveenV- Yes, they are using some tool to run tests and report them back.
What version of SonarQube are you using? PraveenV - We are using Sonarqube Enterprise 10.3

praveenv · November 21, 2024, 10:38am

Can you please look into my query

Colin · November 25, 2024, 3:08pm

Hey there.

You’re welcome to:

Review the list of rules covered by SonarQube for C# (https://rules.sonarsource.com/csharp/)
If any existing rules are not raising issues where you expect, follow the instructions on How to Report a False-positive / False-negative
If there is a rule that doesn’t exist that you think should, fill out the detailed template for suggesting new rules, including a detailed rule description (why should the rule exist?) and code examples of compliant/non-compliant code