Vulnerable in code increase

Must-share information (formatted with Markdown):

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
    SonarQube Version : 8.4.2.36762

In one of the project
Last month we had fixed all the bug, vulnerable in C# & C++ code.
Today when the sonar scanner was run we are seeing 57 vulnerable hotspot.

I see there is no change in code repo. No new code is checked in to the repo.
And have compared the sonars canner logs of today & last month scan. i see no difference.

At First i thought till today sonar scanner was not picking all files from the repo to run analysis. but when compared all files there was no issue. The file count matches.

Do any of you have any idea ?
Is the vulnerable or static rules get update in sonar qube server regularly or what ?

Hello @Sharathshashi,

It’s not easy to guess what could have changed:

  • maybe your Quality Profile was modified to enable rules that were previously disabled
  • or your SonarQube version was updated (and so were the plugins that analyze C# & C++ code). We continuously work on improving the results of the analysis, so every update of SonarQube means that the analysis is modified (some rules were added, we fixed some cases where issues were not found etc…)

Do these 57 issues (are they security hotspots? or vulnerability issues? or different kinds?) make sense?
If you think some of them are false positives, do not hesitate to share them with us and we’ll be glad to have a look.

Thank. All the security hotspots and vulnerability issues makes sense.
Seems SonarQube plugins that analyze got updated.

Any idea how frequent the plugin are updated ?

It varies, but globally there is a new SonarQube release every 1-2 months.