I’m looking at our SonarQube integration and it doesn’t seem to be scanning Web.config files properly. It should be failing this rule as the max request length is set to 100000 but it’s not.
I’ve tried adding this which means it picks up commented out XML but does not seem to recognise web.configs as config files so does not pick up the aforementioned rule
I suggest reverting any changes to language file suffixes, as they shouldn’t be needed.
Can you go into detail about how you configure and run your analysis? Which scanner(s) are used, and in what environment (locally a DevOps platform like Azure DevOps…)
I’m using Azure Devops pipelines with the standard jobs (SonarQubePrepare@4, SonarQubeAnalyze@4, SonarQubePublish@4). It has picked up some security issues around some connection stings in the configs so it is running some sort of analysis on the files however the content length rule doesn’t seem to be working.
Thanks. Just one last check – have you checked not only the Issues tab of your project but also the Security Hotspots tab? This rule is a security hotspot, and thus will only show up in the latter.
This wouldn’t trigger the rule, which is defaulted to a maxRequestLength of 8000000 (8 million), and your example of 100000 (One hundred thousand) is less than that.
/Users/colin/Source/dotnetwebconfig/web.config(4,40): warning S5693: Make sure the content length limit is safe here. [/Users/colin/Source/dotnetwebconfig/dotnetwebconfig.csproj]
Am I missing something in my reproducer that makes it different than yours?