Web.config not being scanned

inverted_llama · August 8, 2023, 12:49am

I’m looking at our SonarQube integration and it doesn’t seem to be scanning Web.config files properly. It should be failing this rule as the max request length is set to 100000 but it’s not.

Snippet from config:

<httpRuntime targetFramework="4.8" maxRequestLength="100000" executionTimeout="360" enableVersionHeader="false" />

I’ve tried adding this which means it picks up commented out XML but does not seem to recognise web.configs as config files so does not pick up the aforementioned rule

sonar.xml.file.suffixes=.xml,.xsd,.xsl,.vbproj,.config

I’ve also tried telling it to use the cs analyzer for the config files however this didn’t work either

sonar.cs.file.suffixes=.config

SonarQube - Enterprise Edition Version 9.9 (build 65466)

Colin · August 9, 2023, 6:48am

Hey there.

I suggest reverting any changes to language file suffixes, as they shouldn’t be needed.

Can you go into detail about how you configure and run your analysis? Which scanner(s) are used, and in what environment (locally a DevOps platform like Azure DevOps…)

inverted_llama · August 11, 2023, 3:36pm

I’m using Azure Devops pipelines with the standard jobs (SonarQubePrepare@4, SonarQubeAnalyze@4, SonarQubePublish@4). It has picked up some security issues around some connection stings in the configs so it is running some sort of analysis on the files however the content length rule doesn’t seem to be working.

Colin · August 14, 2023, 7:51am

Thanks. Just one last check – have you checked not only the Issues tab of your project but also the Security Hotspots tab? This rule is a security hotspot, and thus will only show up in the latter.

inverted_llama · August 15, 2023, 1:39pm

Yes, it’s not appearing in the Issues or Security Hotspots tabs

Colin · August 15, 2023, 2:02pm

Thanks.

Actually, looking at your example again:

This wouldn’t trigger the rule, which is defaulted to a maxRequestLength of 8000000 (8 million), and your example of 100000 (One hundred thousand) is less than that.

Am I missing something?

inverted_llama · August 17, 2023, 8:15am

The comment on the rule says this part of the config is in KB not bytes

<!-- Sensitive: maxRequestLength is exprimed in KB, so 81920KB = 80MB  -->

Colin · August 24, 2023, 9:56am

Hey there.

Thanks, sorry, my mistake.

I have tried to reproduce the issue with this web.config:

<configuration>
  <system.web>
    <httpRuntime targetFramework="4.8" maxRequestLength="100000" executionTimeout="360" enableVersionHeader="false" />
  </system.web>
  <system.webServer>
    <security>
    </security>
  </system.webServer>
</configuration>

And the issue is raised as expected:

/Users/colin/Source/dotnetwebconfig/web.config(4,40): warning S5693: Make sure the content length limit is safe here. [/Users/colin/Source/dotnetwebconfig/dotnetwebconfig.csproj]

Am I missing something in my reproducer that makes it different than yours?