-
Using SonarCloud
To whom it may concern, -
ALM: Azure DevOps
-
CI: Azure DevOps
-
Using Azure hosted agents
-
The “Run Code Analysis” got stuck on
Matching sanitizer : System.Collections.Generic.List<T>.Contains(T)
for one of our projects (42k LoC mostly in C#) -
Activating
sonar.log.level=TRACE
gave literally millions of more log entries, but no clear indication of what was happening -
Ticket #350 gave some insights:
- Created a copy of the “Sonar way” ruleset
- Deactivated all six rules mentioned in #350:
S2076 - OS commands should not be vulnerable to injection attacks 10
S2078 - LDAP queries should not be vulnerable to injection attacks 3
S2083 - I/O function calls should not be vulnerable to path injection attacks 5
S2091 - XPath expressions should not be vulnerable to injection attacks 1
S2631 - Regular expressions should not be vulnerable to Denial of Service attacks 4
S3649 - SQL queries should not be vulnerable to injection attacks 8 - Everything then worked as expected; so I started activating the rules again until it broke again:
- Rule S2083 is causing this, all other rules have been reactivated.
This is a private project, so any logs or similar details cannot be posted here. I hope this may help someone else, even if the root cause is never identified.
Thanks for reading this far,
Susana