Thanks for your reply.
- MSBuild Scanner version 4.6.0.1930 for .Net framework
- The ruleset does still include the security rules
<Rule Id="S2631" Action="Warning" />
<Rule Id="S5146" Action="Warning" />
<Rule Id="S5145" Action="Warning" />
<Rule Id="S5167" Action="Warning" />
<Rule Id="S2076" Action="Warning" />
<Rule Id="S5131" Action="Warning" />
<Rule Id="S5144" Action="Warning" />
<Rule Id="S2083" Action="Warning" />
<Rule Id="S3649" Action="Warning" />
<Rule Id="S2091" Action="Warning" />
<Rule Id="S2078" Action="Warning" />
</Rules>
This probably explains why rules are still getting analyzed. Now I have disabled the rule by going to the project --> Administration --> Analysis Scope
and defined the following key/values for sonar.issue.ignore.multicriteria
Rule key pattern : roslyn.sonaranalyzer.security.cs:S3649
File Path pattern: **/*
We didn’t disable the rule from the Quality profile because it is used by all the projects, so I thought we could override in analysis scope and get the desired results for this project. This doesn’t bring the desired result. Why? If that is not what is intended for, do we have to create a separate quality profile for this project and disable the rule?
Now the next step is to understand why that rule causes issue. I did enable verbosity on a project and have the following log while analyzing S3649
[14:12:41] : [Step 7/7] 18:12:41.097 DEBUG: Failed to read resource file: roslyn.sonaranalyzer.security.cs/sanitizers/S3649.json
[14:12:41] : [Step 7/7] 18:12:41.097 DEBUG: loaded 24 sanitizers for rule S3649
[14:12:41] : [Step 7/7] 18:12:41.097 DEBUG: Failed to read resource file: roslyn.sonaranalyzer.security.cs/passthroughs/S3649.json
[14:12:41] : [Step 7/7] 18:12:41.097 DEBUG: loaded 50 spec-type for rule S3649
[14:12:41] : [Step 7/7] 18:12:41.097 DEBUG: Running rule roslyn.sonaranalyzer.security.cs:S3649
...
[16:19:57] : [Step 7/7] 20:19:57.718 DEBUG: Invoking method with ucfg : <REDACTED>
[16:20:35] : [Step 7/7] 20:20:35.621 DEBUG: Matching passthrough : __concat
[16:20:35] : [Step 7/7] 20:20:35.621 DEBUG: Matching passthrough : System.Collections.Generic.List<T>.Count.get
[16:21:28] : [Step 7/7] 20:21:28.723 DEBUG: Invoking method with ucfg : <REDACTED>
[16:21:54] : [Step 7/7] 20:21:54.711 INFO: ------------------------------------------------------------------------
[16:21:54] : [Step 7/7] 20:21:54.711 INFO: EXECUTION FAILURE
[16:21:54] : [Step 7/7] 20:21:54.711 INFO: ------------------------------------------------------------------------
[16:21:54] : [Step 7/7] 20:21:54.711 INFO: Total time: 2:12:31.820s
[16:21:54]W: [Step 7/7] 20:21:54.869 ERROR: Error during SonarQube Scanner execution
[16:21:54] : [Step 7/7] 20:21:54.869 INFO: Final Memory: 19M/2808M
[16:21:54] : [Step 7/7] 20:21:54.869 INFO: ------------------------------------------------------------------------
[16:21:54]W: [Step 7/7] java.lang.OutOfMemoryError: GC overhead limit exceeded
[16:21:54]W: [Step 7/7] at org.B.H.A(Unknown Source)
[16:21:54]W: [Step 7/7] at org.B.H.A(Unknown Source)
[16:21:54]W: [Step 7/7] at org.B.H.A(Unknown Source)
[16:21:54]W: [Step 7/7] at org.B.H.A(Unknown Source)
[16:21:54]W: [Step 7/7] at org.B.H.A(Unknown Source)
[16:21:54]W: [Step 7/7] at org.B.H.A(Unknown Source)
[16:21:54]W: [Step 7/7] at org.B.H.A(Unknown Source)
[16:21:54]W: [Step 7/7] at org.B.H.A(Unknown Source)
[16:21:54]W: [Step 7/7] at org.B.H.A(Unknown Source)
[16:21:54]W: [Step 7/7] at org.B.H.A(Unknown Source)
[16:21:54]W: [Step 7/7] at org.B.H.A(Unknown Source)
[16:21:54]W: [Step 7/7] at org.B.F.A(Unknown Source)
[16:21:54]W: [Step 7/7] at org.B.F.A(Unknown Source)
[16:21:54]W: [Step 7/7] at org.B.E.B(Unknown Source)
[16:21:54]W: [Step 7/7] at com.sonar.security.analysis.F.A(Unknown Source)
[16:21:54]W: [Step 7/7] at com.sonar.security.analysis.F.A(Unknown Source)
[16:21:54]W: [Step 7/7] at com.sonar.security.analysis.taint.A.F.A(Unknown Source)
[16:21:54]W: [Step 7/7] at com.sonar.security.analysis.taint.A.A.A(Unknown Source)
[16:21:54]W: [Step 7/7] at com.sonar.security.analysis.taint.A.D.A(Unknown Source)
[16:21:54]W: [Step 7/7] at com.sonar.security.analysis.taint.A.E$$Lambda$1207/1070814989.apply(Unknown Source)
[16:21:54]W: [Step 7/7] at java.util.stream.ReduceOps$1ReducingSink.accept(ReduceOps.java:80)
[16:21:54]W: [Step 7/7] at java.util.Iterator.forEachRemaining(Iterator.java:116)
[16:21:54]W: [Step 7/7] at java.util.Spliterators$IteratorSpliterator.forEachRemaining(Spliterators.java:1801)
[16:21:54]W: [Step 7/7] at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481)
[16:21:54]W: [Step 7/7] at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
[16:21:54]W: [Step 7/7] at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708)
[16:21:54]W: [Step 7/7] at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
[16:21:54]W: [Step 7/7] at java.util.stream.ReferencePipeline.reduce(ReferencePipeline.java:474)
[16:21:54]W: [Step 7/7] at com.sonar.security.analysis.taint.A.B.A(Unknown Source)
[16:21:54]W: [Step 7/7] at com.sonar.security.analysis.taint.A.E.A(Unknown Source)
[16:21:54]W: [Step 7/7] at com.sonar.security.analysis.taint.A.E.A(Unknown Source)
[16:21:54]W: [Step 7/7] at com.sonar.security.analysis.taint.A.E$$Lambda$1203/332603856.apply(Unknown Source)
[16:21:55] : [Step 7/7] Process returned exit code 1
[16:21:55]W: [Step 7/7] The SonarQube Scanner did not complete successfully
[16:21:55]W: [Step 7/7] 20:21:55.312 Post-processing failed. Exit code: 1
[16:21:55]W: [Step 7/7] Process exited with code 1
[16:21:56]E: [Step 7/7] Process exited with code 1 (Step: SonarQube end step (Command Line))
[16:21:56]E: [Step 7/7] Out of memory: GC overhead limit exceeded
- Yes, I do the settings inside SonarQubeAnalysisConfig.xml
<AnalyzerSettings>
<Language>cs</Language>
<RuleSetFilePath>C:\projects\tax-management-core\.sonarqube\conf\SonarQubeRoslyn-cs.ruleset</RuleSetFilePath>
<TestProjectRuleSetFilePath>C:\projects\tax-management-core\.sonarqube\conf\SonarQubeRoslyn-cs-test.ruleset</TestProjectRuleSetFilePath>
<AnalyzerPlugins>
<AnalyzerPlugin Key="csharp" Version="7.11.0.8083" StaticResourceName="SonarAnalyzer-7.11.0.8083.zip">
<AssemblyPaths>
<Path>C:\Users\GokulaPrakashT\AppData\Local\.sonarqube\resources\0\Google.Protobuf.dll</Path>
<Path>C:\Users\GokulaPrakashT\AppData\Local\.sonarqube\resources\0\SonarAnalyzer.CSharp.dll</Path>
<Path>C:\Users\GokulaPrakashT\AppData\Local\.sonarqube\resources\0\SonarAnalyzer.dll</Path>
</AssemblyPaths>
</AnalyzerPlugin>
<AnalyzerPlugin Key="vbnet" Version="7.11.0.8083" StaticResourceName="SonarAnalyzer-7.11.0.8083.zip">
<AssemblyPaths>
<Path>C:\Users\GokulaPrakashT\AppData\Local\.sonarqube\resources\1\Google.Protobuf.dll</Path>
<Path>C:\Users\GokulaPrakashT\AppData\Local\.sonarqube\resources\1\SonarAnalyzer.dll</Path>
<Path>C:\Users\GokulaPrakashT\AppData\Local\.sonarqube\resources\1\SonarAnalyzer.VisualBasic.dll</Path>
</AssemblyPaths>
</AnalyzerPlugin>
<AnalyzerPlugin Key="securitycsharpfrontend" Version="7.7.0.4011" StaticResourceName="SonarAnalyzer.Security-7.7.0.4011.zip">
<AssemblyPaths>
<Path>C:\Users\GokulaPrakashT\AppData\Local\.sonarqube\resources\2\analyzers\dotnet\cs\Google.Protobuf.dll</Path>
<Path>C:\Users\GokulaPrakashT\AppData\Local\.sonarqube\resources\2\analyzers\dotnet\cs\SonarAnalyzer.Security.dll</Path>
</AssemblyPaths>
</AnalyzerPlugin>
</AnalyzerPlugins>
<AdditionalFilePaths>
<Path>C:\projects\tax-management-core\.sonarqube\conf\cs\SonarLint.xml</Path>
</AdditionalFilePaths>
</AnalyzerSettings>
<AnalyzerSettings>