SonarCloud is not detecting vulnerabilities of the Project

  • ALM used Azure DevOps (Azure repos)

  • CI system used Azure DevOps

  • Languages of the repository: ASP.NET core

  • Only if the SonarCloud project is public, the URL : Private

  • Error observed: 0 vulnerabilities in sonar cloud project

Our organization uses sonar cloud paid plan for static code analysis. We setup sonar integration using Azure Devops for the project but we don’t see any vulnerabilities detected within the project (the project do have vulnerabilities and has been detected by other security resource within the organization). Not sure what needs to be configured here additionally.

FYI we exposed SQL database connection string (password/username) within the repo which I believe is a vulnerability which sonar should detect but it is not working as expected.
Vulnerability comes from the sonar default way rules I don’t see anything that’s need to be added manually.

FYI: I followed this conversation but it incomplete SonarCloud not detecting vulnerability

Please help! Thank you.

Hey there.

I would recommend following the guidelines in this post for reporting a vulnerability:

Including a code snippet of the code you expect a vulnerability to be raised on.

Hey @Colin

I included non-compliance code snippet in my code and ran the analysis to generate vulnerability

Reference: SonarSource Code Analyzers Rules Explorer

SonarCloud does not detect vulnerability here:

Thank you!

Hey there.

We’re almost there. Please make sure to provide text-as-code rather than a screenshot.

We also need you to include a code sample

This code sample should either be:

  • code-as-text. Not a screenshot of code or a screenshot of an issue raised in SonarQube.
  • Or a link to code that raises the issue (or doesn’t) on a public SonarCloud project

@Colin This is the code which I used to reproduce the issue in my project:

using Microsoft.AspNetCore.Mvc;
using System;
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;

namespace Counter_AuditAppRestAPI_Stateless.Controllers
    public class HomeController: Controller
        public IActionResult RedirectMe(string url)
        return Redirect(url);

    public IActionResult SetLocationHeader(string url)
        Response.Headers["Location"] = url; // Noncompliant
        return StatusCode(302);

Hey Kavya,

I am not able to reproduce this, for me, the code raises the vulnerability. Can you tell us more about how you perform the scan? .NET analysis requires hooking the build process, maybe that step is incomplete and no proper analysis is performed.

Maybe you can share the logs of a scan, that would be quite helpful.

Hey @Hendrik_Buchwald

Logs: (229.7 KB)

Pipeline Configuration: (926 Bytes)

Thank you!

1 Like

Thanks a lot! I have pinged my colleagues that are hopefully able to bring some light in the dark.

1 Like

Hey @Hendrik_Buchwald Any update on above ask?

Hey @Colin @Hendrik_Buchwald Is there any update on above issue? Have you found anything?

Hello @kavya1

We would need your help to be able to investigate further what the problem is.
Could you please provide us with the content of the .sonarqube\out\ucfg_cs2 folder?

All the best,

Hello @Caba_Sagi

I have attached the logs above. Please find the additional details from above logs.

Let me know if you need anything else from my end.

Thank you!

We have seen the logs you have provided and based on that we would like to ask you to provide us with the content of the .sonarqube\out\ucfg_cs2 folder if possible.

@Caba_Sagi Could you please let me know where can I find .sonarqube\out\ucfg_cs2 folder? Is it the logs from Run code analysis step from the azure devops pipeline?

According to the logs it is located at D:\a\1.sonarqube\out\ucfg_cs2 (2.9 MB)

@Caba_Sagi Please find attached .sonarqube folder

Hey @Caba_Sagi

Do you have any update on the issue here?

Hello @kavya1,

We have had a bit of time today to look at your problem and it seems we have found what the problem is.
Looking at the .yml file of your pipeline configuration you are doing a dotnet build and a dotnet test right one after the other. Without adding the –no-build option to dotnet test you will build your project twice (and run the analysis twice) which will report all the issues twice and our engine gets confused and will throw away both findings. My colleagues are going to fix this behaviour of the engine in the future.
As an immediate workaround, you can add the –no-build option to the dotnet test command and it should fix the problem for you. Additionally, it will also decrease the execution time of your pipeline as it will not run the analysis twice.

I hope this will help you fix your problem.

All the best,


Hi @Caba_Sagi

Adding the –no-build option to dotnet test task helped to get the vulnerability for the project.

Thanks much!

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.