Stuck on "Matching sanitizer : System.Collections.Generic.List<T>.Contains(T)" due to rule

• Using SonarCloud
  To whom it may concern,

• ALM: Azure DevOps

• CI: Azure DevOps

• Using Azure hosted agents

• The “Run Code Analysis” got stuck on Matching sanitizer : System.Collections.Generic.List<T>.Contains(T) for one of our projects (42k LoC mostly in C#)

• Activating sonar.log.level=TRACE gave literally millions of more log entries, but no clear indication of what was happening

• Ticket #350 gave some insights:

  • Created a copy of the “Sonar way” ruleset
  • Deactivated all six rules mentioned in #350:
    S2076 - OS commands should not be vulnerable to injection attacks 10
    S2078 - LDAP queries should not be vulnerable to injection attacks 3
    S2083 - I/O function calls should not be vulnerable to path injection attacks 5
    S2091 - XPath expressions should not be vulnerable to injection attacks 1
    S2631 - Regular expressions should not be vulnerable to Denial of Service attacks 4
    S3649 - SQL queries should not be vulnerable to injection attacks 8
  • Everything then worked as expected; so I started activating the rules again until it broke again:
    • Rule S2083 is causing this, all other rules have been reactivated.

This is a private project, so any logs or similar details cannot be posted here. I hope this may help someone else, even if the root cause is never identified.

Thanks for reading this far,
Susana

Hello @SuChuDom,

The rules based on Taint Analysis can take a while to run and we need to face some corner cases to know where to spend our energy to optimize our analyzer.

In order to move forward, we need to run our tests with the intermediate data generated from your code. This is located in the .sonarqube\out\ucfg_cs2 folder. If you want, you can zip that folder and send it in a private conversation on the forum. We will be able to run the analysis locally using those files and eventually find the root problem.

Thanks