I have developers that are pushing pull request related builds to Sonar Cloud and we started seeing issues appear for “Make sure that exposing this HTTP endpoint is safe here”. We have followed the guidance in the documentation to review the code and make sure it is safe, but in a pull request, the option to “Detect” or “Clear” is not available causing this to be scan to block completion of our pull request. This is a new issue we encountered yesterday and cannot overcome it because the platform UI doesn’t allow us.
Typically, we would change the state of the issue from “Open” to “Detect” or “Clear”.
If your project is public, appreciate if you can send a direct link to the PR in question. Otherwise for now you could also attach a screenshot of the UI behaviour you observe. And just in case: do you still have ‘Confirm’ option in the dropdown ?
I have done some more research on this. It looks like the C# quality Profile was updated on 11/29 to include additional rules, but the SonarCloud UI doesn’t appear to be able to suppress individual issues of this kind inside a PR. Please see the screenshots of our experience from our private source.
Yup, this seems to be matching rule S4529. What’s surprising though is that the issue has the ‘roslyn’ badge, which would indicate that it was found by an external engine (and not SonarQube’s engine, see this topic for example).
Can you share what output you get when hitting the three dots ... next to the issue message ?
Here is a screenshot from the three dots menu. It appears as though the documentation is failing to load fully. Do you have any recommendations on how to suppress or resolve this within the UI so we can move forward with completing our PR?
generally speaking rules reported by external analyzers cannot be acted upon directly in the PR, and that’s by design (because they’re reported by external tools, see discussion in this other topic I mentioned).
in this case here the issue has the roslyn flag, when it fact its rule is a native SonarQube one (rule S4529). This looks fishy to me, let me ask some colleagues what could be going on.
I confirm that we have a bug in our current C# and VB .Net analysis. We are working on it and I will come back to you as soon as it is fixed.
In the meantime you can unblock your pull requests by ignoring external roslyn error in your project like this: Go to your project’s Administration tab > General Settings > External analyzers > C# Ignore issues from external Roslyn analyzers > enable the option. The security hotspot issues will disappear the next time your pull requests are analyzed.
