Supress security hotspot in Razor file

pascalberger · September 19, 2023, 8:56am

ALM used: Azure DevOps
CI system used: Azure DevOps
Languages of the repository
Only if the SonarCloud project is public, the URL
- And if you need help with pull request decoration, then the URL to the PR too
Error observed (wrap logs/code around with triple quotes ``` for proper formatting)
Steps to reproduce
Potential workaround

Do not share screenshots of logs – share the text itself (bonus points for being well-formatted)!

Hi,
I’ve C# static code analysis: Using clear-text protocols is security-sensitive being reported as a false positive in a *.razor file. How can I suppress this in the code? I tried with SuppressMessage attribute, pragma disable warning and //NOSONAR, but none of it seems to work

Thanks
Pascal

costin.zaharia · September 21, 2023, 3:58pm

Hi @pascalberger,

Currently, we do not support issue suppression for .razor/.cshtml files. I’ve added an issue for this: Analysis warnings in .razor files cannot be suppressed · Issue #8050 · SonarSource/sonar-dotnet · GitHub.

The workaround is to review the hotspot on the server.

Best,
Costin

pascalberger · September 21, 2023, 5:30pm

In my case the recent introduction of Razor analysis lead to the issue in any pull request, since it throw a warning in the build. But there was no security hotspot on the pull request analysis in SonarCloud, which could be reviewed. Only workaround was to disable Razor analysis.

costin.zaharia · September 22, 2023, 7:16am

Hi Pascal,

Can you help us with a code snippet or a reproducer? If you give us more details it will help us understand the problem and fix the FP.