SonarCloud is not detecting vulnerabilities of the Project

kavya1 · December 19, 2022, 4:38pm

ALM used Azure DevOps (Azure repos)
CI system used Azure DevOps
Languages of the repository: ASP.NET core
Only if the SonarCloud project is public, the URL : Private
Error observed: 0 vulnerabilities in sonar cloud project

Our organization uses sonar cloud paid plan for static code analysis. We setup sonar integration using Azure Devops for the project but we don’t see any vulnerabilities detected within the project (the project do have vulnerabilities and has been detected by other security resource within the organization). Not sure what needs to be configured here additionally.

FYI we exposed SQL database connection string (password/username) within the repo which I believe is a vulnerability which sonar should detect but it is not working as expected.
Vulnerability comes from the sonar default way rules I don’t see anything that’s need to be added manually.

FYI: I followed this conversation but it incomplete SonarCloud not detecting vulnerability

Please help! Thank you.

Colin · December 20, 2022, 9:36am

Hey there.

I would recommend following the guidelines in this post for reporting a vulnerability:

Including a code snippet of the code you expect a vulnerability to be raised on.

kavya1 · December 20, 2022, 8:25pm

Hey @Colin

I included non-compliance code snippet in my code and ran the analysis to generate vulnerability

Reference: SonarSource Code Analyzers Rules Explorer

SonarCloud does not detect vulnerability here:

Thank you!

Colin · December 21, 2022, 2:16pm

Hey there.

We’re almost there. Please make sure to provide text-as-code rather than a screenshot.

We also need you to include a code sample

This code sample should either be:

code-as-text. Not a screenshot of code or a screenshot of an issue raised in SonarQube.

Or a link to code that raises the issue (or doesn’t) on a public SonarCloud project

kavya1 · December 21, 2022, 3:11pm

@Colin This is the code which I used to reproduce the issue in my project:

using Microsoft.AspNetCore.Mvc;
using System;
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;

namespace Counter_AuditAppRestAPI_Stateless.Controllers
{
    public class HomeController: Controller
    {
        public IActionResult RedirectMe(string url)
    {
        return Redirect(url);
    }

    public IActionResult SetLocationHeader(string url)
    {
        Response.Headers["Location"] = url; // Noncompliant
        return StatusCode(302);
    }
    }
}

Hendrik_Buchwald · December 21, 2022, 3:15pm

Hey Kavya,

I am not able to reproduce this, for me, the code raises the vulnerability. Can you tell us more about how you perform the scan? .NET analysis requires hooking the build process, maybe that step is incomplete and no proper analysis is performed.

Maybe you can share the logs of a scan, that would be quite helpful.

kavya1 · December 21, 2022, 3:30pm

Hey @Hendrik_Buchwald

Logs: logs_19321.zip (229.7 KB)

Pipeline Configuration:
Counter_AuditAppRestAPI_Stateless-k8s-CI-PR.zip (926 Bytes)

Thank you!

Hendrik_Buchwald · December 21, 2022, 3:36pm

Thanks a lot! I have pinged my colleagues that are hopefully able to bring some light in the dark.

kavya1 · December 27, 2022, 1:53pm

Hey @Hendrik_Buchwald Any update on above ask?

kavya1 · January 3, 2023, 1:50pm

Hey @Colin @Hendrik_Buchwald Is there any update on above issue? Have you found anything?

Caba_Sagi · January 4, 2023, 1:36pm

Hello @kavya1

We would need your help to be able to investigate further what the problem is.
Could you please provide us with the content of the .sonarqube\out\ucfg_cs2 folder?

All the best,
Čaba

kavya1 · January 4, 2023, 2:10pm

Hello @Caba_Sagi

I have attached the logs above. Please find the additional details from above logs.

Let me know if you need anything else from my end.

Thank you!

Caba_Sagi · January 4, 2023, 2:27pm

We have seen the logs you have provided and based on that we would like to ask you to provide us with the content of the .sonarqube\out\ucfg_cs2 folder if possible.

kavya1 · January 4, 2023, 2:31pm

@Caba_Sagi Could you please let me know where can I find .sonarqube\out\ucfg_cs2 folder? Is it the logs from Run code analysis step from the azure devops pipeline?

Caba_Sagi · January 4, 2023, 3:18pm

According to the logs it is located at D:\a\1.sonarqube\out\ucfg_cs2

kavya1 · January 4, 2023, 3:39pm

.sonarqube.zip (2.9 MB)

@Caba_Sagi Please find attached .sonarqube folder

kavya1 · January 6, 2023, 1:59pm

Hey @Caba_Sagi

Do you have any update on the issue here?

Caba_Sagi · January 6, 2023, 2:11pm

Hello @kavya1,

We have had a bit of time today to look at your problem and it seems we have found what the problem is.
Looking at the .yml file of your pipeline configuration you are doing a dotnet build and a dotnet test right one after the other. Without adding the –no-build option to dotnet test you will build your project twice (and run the analysis twice) which will report all the issues twice and our engine gets confused and will throw away both findings. My colleagues are going to fix this behaviour of the engine in the future.
As an immediate workaround, you can add the –no-build option to the dotnet test command and it should fix the problem for you. Additionally, it will also decrease the execution time of your pipeline as it will not run the analysis twice.

I hope this will help you fix your problem.

All the best,
Čaba

kavya1 · January 9, 2023, 9:30pm

Hi @Caba_Sagi

Adding the –no-build option to dotnet test task helped to get the vulnerability for the project.

Thanks much!

system · January 18, 2023, 10:18am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.